Open source vulnerabilities more than doubled in 2019

As open source is becoming more widely used, so are exploitable security vulnerabilities

Flaws in widely-used open source software more than doubled between 2018 and 2019, representing a significant uptick in security gaps and a record year for vulnerabilities in the open source ecosystem.

There were 968 common vulnerabilities and exposures (CVEs) in open source software last year, compared with 421 in 2018, according to research by vulnerability management firm RiskSense. This is also significantly higher than the average number of CVEs between 2015 and 2018 of 387. 

In addition, this staggering surge in vulnerabilities “does not appear to be a flash in the pan”. This is because the number of new CVEs has remained at historically high levels through the first three months of 2020 - 179 so far.

“While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blind spot for many organizations,” said RiskSense CEO Srinivas Mukkamala. 

“Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences.”

With open source software becoming more widely used by swathes of businesses, the attack surface has been increasing, the research claims. While there are many benefits to the ecosystem, managing vulnerabilities can pose a unique challenge.

The research compiled data between 2015 and the first three months of 2020 with a total of 2,694 CVEs identified. RiskSense added it has published the report to provide useful data that organisations can use in their development, IT and security practices. 

This includes insights into particular open source projects and specific vulnerabilities that pose the most immediate risk based on factors such as the cyber security impact and active use in real-world campaigns.

Related Resource

Your comprehensive guide to low-code

The missing component of your digital strategy - for developers and CIOs alike

Download now

For example, the report found that the Jenkins automation server had the most CVEs overall with 646, which was closely followed with MySQL, with 624. These two were also the most weaponised vulnerabilities, with 15 exploit codes existing for each area.

One of the most potent projects - by the proportion of exploited CVEs - was HashiCorp’s Vagrant, which had only nine total CVEs, but six of them were weaponised.

Among weaponised weaknesses, cross-site scripting (XSS) and input validation were some of the most common variants. While XSS issues were the second most common type of weakness, these were the most weaponised, input validation issues were the third most common and second-most weaponised.

Some weaknesses, meanwhile, were far less common, but remained very popular in active campaigns. There were just 28 CVEs for desreialisation issues, 16 CVEs for code injection flaws, two CVEs for error handling issues and one CVE for container errors. These issues were all seen trending in the wild, however.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Golang XML parser vulnerability could enable SAML authentication bypass
vulnerability

Golang XML parser vulnerability could enable SAML authentication bypass

15 Dec 2020
How to automate your infrastructure with Ansible
automation

How to automate your infrastructure with Ansible

2 Dec 2020
The IT Pro Podcast: What COVID-19 can teach us about open data
Data & insights

The IT Pro Podcast: What COVID-19 can teach us about open data

30 Oct 2020
Windows XP source code allegedly leaked online
Microsoft Windows

Windows XP source code allegedly leaked online

25 Sep 2020

Most Popular

Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021