Top 5 New Open Source Security Vulnerabilities in September 2019

October 3, 2019 Patricia Johnson

Autumn is officially upon us. While some take time this season to stock up on pumpkin spice and Halloween decorations, our Knowledge Team dove into the really scary stuff — reviewing the new open source security vulnerabilities published in September. 

In order to deliver our monthly top five new security vulnerabilities list, our fearless Knowledge Team combed through the WhiteSource database. This extensive database continuously collects published open source security vulnerabilities from a number of well-respected community sources like the National Vulnerability Database (NVD), peer-reviewed security advisories, and issue trackers so that we can provide the most comprehensive info about known open source security vulnerabilities and their fixes. 

September’s top 5 list of new open source vulnerabilities covers a wide range of open source projects, from back-end and operating systems, to programming languages, front-end and API development tools. If you’re developing software, then there’s a good chance you are directly or indirectly using one of the projects on this list. 

So, without further ado, here are September’s scariest top 5 new open source security vulnerabilities. 

#1 curl

CVE-2019-5481

Affected versions: 7.52.0 to 7.65.3

CVE-2019-5482

Affected versions: 7.19.4 to 7.65.3

Vulnerability Score: Critical — 9.8

We’ve got a two-for-one for you this month with this pair of highly critical issues discovered in cURL, the popular C-based URL transfer library. 

The first curl issue, CVE-2019-5481, is a double-free vulnerability in the FTP-kerberos code. According to the curl security advisory, “vulnerable versions of libcurl can be told to use kerberos over FTP to a server, as set with the CURLOPT_KRBLEVEL option.” 

The second curl issue, otherwise known as CVE-2019-5482, is a critical heap buffer overflow vulnerability in curl’s TFTP protocol handler. 

curl is used in pretty much any and every technology that requires internet transfer, including cars, routers, printers, audio equipment, mobile devices, media players and more. Considering the fact that curl supports thousands of software applications that impact billions of humans daily, it’s best to check which curl version you’re using and update is as soon as you can. 

It’s worth mentioning that both of these issues were published on the curl advisories, along with their fix, within two weeks or less of being reported, which is much less than the commercial industry standard. This shows us once again how swiftly security can work in the open source community, leaving it up to us to stay updated and patch when necessary. 

You can find more information about the issues and their fix here, or on the curl security advisories

#2 Android

CVE-2019-2177

Vulnerability Score: High — 8.8

Affected versions: Android 7.1.1, 7.1.2, 8.0, 8.1 and 9

A permissions bypass in isPreferred of HidProfile.java in vulnerable Android versions might cause a device type confusion. According to the Android security bulletin, this could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.

The Android security team, as per usual, published information about quite a few security vulnerabilities found in Android this past month. While this is one of the more critical ones, it’s not the only issue discovered this month. Considering how prevalent this open source operating system is today, it’s best you check which version your products are using and update ASAP. 

Read more about this security issue and its fix here

#3 Linux kernel

CVE-2019-15926

Vulnerability Score: Critical — 9.1

Affected versions: before 5.2.3

Another month, another batch of newly disclosed Linux kernel vulnerabilities. In this case, the issue is an out-f-bounds-access in some of the functions in the ath6kl wifi driver. According to the Debian security announcement, this could enable a nearby attacker on the same wifi network to cause a denial of service (memory corruption or crash).

Once again, the Linux kernel team delivered a hefty batch of new security issues this past month. This isn't surprising, considering the volume of code in this OG project combined with the size of the community. Happily, this well-established community also swiftly delivers fixes, so all we have to do is make sure to check which version we're using and update or patch the outdated ones. 

You can read more about this issue and its fix here

#4 Python

CVE-2019-16056

Vulnerability Score: High — 7.5

Affected versions: through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4.

A major glitch was discovered in vulnerable versions of Python’s email module. It appears that this complex module might parse email addresses incorrectly if they contain multiple @ characters. An attacker could exploit this issue to trick a vulnerable application into accepting an email address that should be denied.  

Python is an old community favorite, consistently ranking third in GitHub’s list of top languages since 2015. While CWE-20 -  input validation, is the most common type of issue to be found in Python, this project’s security profile is fairly solid. When we took a look at open source security in Python over time, we found a relatively low percentage of high-severity vulnerabilities over the past ten years, and a consistent decrease in vulnerabilities overall since 2015. 

Read more about this new Python vulnerability and its fix on GitHub, or on the Python issue tracker.

#5 Swagger-UI

WS-2019-0234

Vulnerability Score: Medium — 5

Affected versions: prior to 2.2.1

An XSS security issue was found in vulnerable versions of swagger-ui. According to the npm security advisory, The package allows HTML code in one of the values without proper sanitization, which could allow attackers to execute arbitrary JavaScript. The advisory recommends updating to version 2.2.1 or later. 

According to their documentation, Swagger is one of the most widely used open source toolsets for API development using the OpenAPI Specification. Swagger UI is one of the tools offered: a traditional npm module for single-page applications that are capable of resolving dependencies (via Webpack, Browserify, etc). 

That’s why the issue’s ID starts with a WS prefix and not with a CVE, and it serves as a reminder that tracking only one source for information on new open source vulnerabilities, even if it’s as comprehensive as the NVD, is not enough. 

You might have noticed that this issue’s index number has a WS rather than a CVE prefix. That’s because this vulnerability, like nearly a third of all JavaScript vulnerabilities, wasn’t published in the NVD, and hasn’t gotten a CVE index number yet. Instead, this security vulnerability was published in a community advisory and got the WS prefix. This shows once again that, while the open source community is active in discovering and publishing new vulnerabilities and fixes, the decentralized nature of the community means that you can’t only rely only on the NVD for comprehensive open source vulnerabilities coverage. 

Considering how popular this tool is among web developers, it’s best you make sure that you’re using a secure version. You can read more about the Swagger UI issue and its  fix on GitHub

Don’t Get Spooked By September’s New Open Source Security Vulnerabilities 

Don’t say we didn’t warn you — September’s list of top 5 new open source security vulnerabilities is not for the faint of heart. 

But it’s not all bad. While this month’s list includes open source components and libraries that are at the heart of the software development eco-system, they are also well-established projects maintained by active communities. That means that all those scary security vulnerabilities are found and published at a steady pace — along with their fixes. 

The best way to win at open source vulnerabilities management is to stay up-to-speed with the community, and the security announcements that members are quick to publish. Don’t let outdated and insecure open source components gather cobwebs in your projects. Keep track of the open source components that you’re using and update them on time, so that the vulnerabilities don’t haunt your product. 

Want to catch up on earlier open source vulnerabilities in 2019? Check out our top open source vulnerabilities page to see if there are any that you might have missed. 

See you next month when we pull together the top list for October. Until then, enjoy the Halloween festivities and track your open source components so that the scary stuff stays out of your software. 

No Previous Articles

Next Article
Top 5 New Open Source Security Vulnerabilities in August 2019
Top 5 New Open Source Security Vulnerabilities in August 2019