Vulnerabilities in popular open source projects more than doubled in 2019

RiskSense has released a new report that provides in-depth discovery of vulnerabilities in currently popular open-source software, including the number of vulnerabilities, which software is most vulnerable to threats, and the main types of attacks.

The report does not include Linux, WordPress, Drupal, and other super popular items that are often monitored. Instead, RiskSense observed some other popular open-source projects that are not well-known to the public but widely adopted by the technology and software community, including Jenkins, MongoDB, Elasticsearch, Chef, GitLab, Spark, Puppet, etc.

RiskSense reviewed the 50 most popular open-source software projects and found:

  • Vulnerabilities spanned all phases of modern development from dev\test, orchestration, container, and within workloads. Learn more about the volume and the trends for the tools you use.
  • Open source is generating new vulnerabilities at a historically rapid pace. Consider what this means when shared libraries and code re-use occurs with Dev teams, especially in business-critical applications.
  • NVD listing lags significantly behind for OSS vulnerabilities – especially for those with the highest CVSS criticality.

The report results show that the total number of vulnerabilities in these open source software more than doubled in 2019, from 421 in 2018 to 968 last year. And pointed out that the time required to add open-source software vulnerabilities to the National Vulnerability Database (NVD) is very long, from public disclosure to inclusion, it takes an average of 54 days. This delay may cause organizations to still face serious application security risks for nearly two months. And this long delay exists on all levels of vulnerabilities, including vulnerabilities rated as “serious” and vulnerabilities that have been weaponized.

Other findings include that the Jenkins automation server has the largest number of CVEs overall, at 646. Followed by MySQL, the number is 624. At the same time, each of these two open-source software projects has 15 weaponized vulnerabilities. In comparison, Vagrant has only 9 CVEs in total, but it contains 6 weaponized vulnerabilities.

The full report can be obtained from the RiskSense website.