Top 5 New Open Source Vulnerabilities in April 2018


If April taught us anything, it’s that open source vulnerabilities are not for the faint of heart.

It seems like only yesterday that Drupal admins waited for security updates to fix April’s notorious Drupalgeddon, and — it’s back. As hackers have already started exploiting that nasty security issue, we’re here to tell you about how the hard working folk at Drupal’s security team have issued yet another security announcement after discovering another vulnerability.

We’ve put together a list of April’s top 5 new known open source security vulnerabilities, aggregated by the WhiteSource database, which is updated continuously from the National Vulnerability Database (NVD), and of course a number of open source publicly available, peer-reviewed security advisories.

Our top 5 list of projects hit by vulnerabilities this month consists of some oldies-but-goodies, as well as some fresh faces. All of the security vulnerabilities we’ve listed this month can be found in popular and widely used projects.

If you’re using open source components in your organization (newsflash: you are) you’re going to want to read this list. Please make sure to take action, and check your projects for vulnerable versions so that you can remediate and beat the hackers to it.

#1 Spring Data Commons


Vulnerability Score: Critical — 9.8


Vulnerability Score: High —  7.3

Affected versions: versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions

This month, two major vulnerabilities were discovered in the Spring Data Commons project.

The first and more highly rated for risk is CVE-2018-1273. This vulnerability could be exploited by hackers to carry out a remote code execution attack, taking control of systems and performing unauthorized operations.

The second vulnerability found in Spring Data Commons this month is CVE-2018-1274, a (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Patricia Johnson. Read the original post at: