Days
:
Hours
:
Minutes
:
Seconds

Long-Awaited Cyber Monday Sale - 1 Time a Year %

View Now
Skip to content Skip to sidebar Skip to footer

Open-Source Vulnerabilities to be Aware of in 2020

open-source vulnerabilities

Open-source allows businesses and developers to have control of their web applications, and many enjoy the freedoms that it allows for. However, one key consideration for any open-source developer is the potential for vulnerabilities. All WordPress and Open-Source developers need to be acutely aware of various vulnerabilities, and to be prepared to deal with them. 

In 2020, the issue of these vulnerabilities is still as potent as ever, which means it is vital for all developers to follow the best practices. Both large and smaller open-source projects can be affected by vulnerabilities. In this article, we will go through ten open source vulnerabilities to be aware of.

Zero-Day WordPress File-Manager

Just this month, over 700,000 WordPress users were affected by a vulnerability in the “File-Manager” plugin. The vulnerability in this popular plugin allowed outside users to execute commands and upload malware on to a website. A patch was quickly released the same day, and users were urged to update. However, it is still being actively exploited in the wild. Millions of websites are still being probed through automated attacks.

The vulnerability was allowed to bypass some in-built protections, which should concern developers. The best way to protect against this type of vulnerability and other similar ones is with an open source vulnerability scanner. This scanner can immediately alert you to any vulnerabilities and gives you the ability to quickly fix them before any major damage is done. 

LoDash Prototype

LoDash is a popular Javascript utility library that is helpful for many programming tasks. It simplifies work with arrays, strings, objects, and more. It is one of the most popular open-source projects due to its ease of use. The current version has more than 25 million weekly downloads. Version CVE is a prototype that has been identified with a vulnerability. It was found in some of the functions in the LoDash node module. A patch has been given, and all users should update. 

JS-YAML

Another popular Javascript component is JS-YAML. It is a parser and writer for Javascript. It is regularly used by millions of users. Versions of this before 3.13.1 were found to be vulnerable to code injection attacks. This could be done through the load function, which could be manipulated into launching malicious code through a YAML file. The vulnerability has quickly been patched, and it is available through updating.

Fstream

vulnerabilities

One of the most highly used open source projects of 2020 is Fstream. It currently has over 4 million downloads a week, which underlines just how many people are taking advantage of this project that provides Fstreaming for node. Versions of Fstream before 1.0.12 have been affected by an arbitrary file rewrite vulnerability. This issue can be fixed by updating. 

Python

Next up on our list, is one of the most popular programming languages of the past few years. It is a top language for both beginners and experts, and has consistently ranked within the top 3 on Github for the past five years. It is known for its top security profile, however has also been affected with a vulnerability. This exploit was found in an email module. 

The exploit allowed for an unauthorised email to be accepted by a vulnerable application. The fix is fairly simple and can be found on Github. In general, Python has proven to be a highly secure language, and there are very few high-profile vulnerabilities reported within the last 10 years. 

Linux Kernel

Linux has one of the most active communities in the world. Many of these users are actively dedicated to finding issues with the open source code, and getting them fixed as quickly as possible. In recent times, one of the biggest vulnerabilities in Linux has been found in a USB device driver. 

There was a use after free vulnerability detected which could be used by a potential hacker for a denial of service attack. It is important to ensure that you are using an updated version of Linux, and you can find a fix for this vulnerability here

cURL

open-source vulnerabilities

cURL is widely used in a number of technologies including WordPress. Any process that requires internet transfer is likely to use cURL. Therefore, it is vital that any vulnerabilities are prevented and fixed whenever they pop-up. It is essential to keep your cURL updated to avoid the possibility of exploits.

Two major vulnerabilities were recently found, and one was in the URL transfer library. The other was found in TFTP protocol. The fixes were published within two weeks of the vulnerabilities being found, and this was done by the community. This is far less than the industry standard, and it is an example of how efficiently the open-source community can work.

Closing Thoughts

These are some of the open-source vulnerabilities that all developers should keep in mind. You will have noticed the sheer variety of projects listed here, which means it is vital to be on guard regardless of if you are working on a new or old open source project. Don’t become complacent, just because you work with a popular open source project.

This has no bearing as to the likelihood of a vulnerability or exploit being found. The size is irrelevant to the risk that may be present. As always, you should make sure to keep it updated. Track your open source components and get fixes as soon as you are notified of any vulnerabilities. 

Now is the time to check your security practices, whether you are a WordPress developer or working with another open-source project. 

For the Updates

Exploring ideas at the intersection of design, code, and technology. Subscribe to our newsletter and always be aware of all the latest updates.

Leave a comment

Download a Free Theme