Infosecurity Europe
4-6 June 2024
ExCeL London

Top 10: Most Common Open-Source Vulnerabilities

The growing use of open-source software across digital services and products has increased cyber-risks for organisations.

While open-source software provides many benefits to businesses and society at large, the fact it is open to everyone for any purpose makes it especially vulnerable to malicious actors.

The most infamous open-source vulnerability is Log4j which was discovered at the end of 2021. The vulnerability is expected to be exploited for years to come.

As a result, it is crucial that security and DevOp teams continually monitor for, and quickly remediate, vulnerabilities in their open-source software stack.

The 2023 JFrog Security Research Report provided an analysis into the most often detected open-source vulnerabilities in the calendar year 2022.

These security flaws have been compiled in the below list, along with Common Vulnerability Scoring System (CVSS) score assigned to them in the National Vulnerability Database (NVD).

1. CVE-2022-0563. Severity: Medium (CVSS Base Score: 5.5)

This vulnerability was detected most frequently throughout 2022, which is likely because it affects all versions of a popular Linux distribution called Debian. The flaw was detected in the util-linux chfn and chsh utilities when compiled with Readline support. It allows an unprivileged user to read root-owned files, potentially leading to privilege escalation.

Unlike the NVD, JFrog assigned the vulnerability as ‘Low,’ because all major Linux distributions don’t use a vulnerable version of the chfn and chsh utilities, and the file contents that can be leaked are only partial. In addition, the attack must be performed locally, limiting the number of attackers who can exploit this flaw.

2. CVE-2022-29458. Severity: High (CVSS Base Score: 7.1)

Again, affecting all Debian versions, this CVE is “extremely widespread” according to JFrog. The vulnerability has been labelled an ‘Out-of-Bounds Read’ that can lead to a denial of service (DoS) and unintended information disclosure. The flaw is in ncurses update 6.3 before patch 20220416 and is out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.

Despite the High severity rating in the NVD, the flaw was assigned as Low by JFrog, partly because exploitation is “extremely unlikely” as ncurses must be running on a client utility with an externally controlled file as input. Additionally, any DoS impact would be minimal.

3. CVE-2022-1304. Severity: High (CVSS Base Score: 7.8)

This vulnerability is an out-of-bounds read/write vulnerability found in e2fsprogs 1.46.5. It is a widespread issue as it was not fixed in all Debian versions – buster, bullseye and stretch. The flaw can lead to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.

Assigning it a Low rating, JFrog noted that it is only possible to cause a massive buffer overflow with a negative integer value, which leads to a DoS attack, but won’t lead to code execution. Additionally, the attack must be performed locally.

4. CVE-2022-42003. Severity: High (CVSS Base Score: 7.5)

This vulnerability affects the Jackson library, which is the number one ranked JSON parser for Java. The issue is in ObjectMapper, which is responsible for serialisation and deserialisation from various data formats. It is likely to be exploited in vulnerable configurations since a public exploit exists.

JFrog has given this vulnerability a Medium severity rating as there is a moderate risk it was cause a DoS impact on library usage. However, exploitation is very difficult because it requires that Jackson be initialised with a non-default value.

5. CVE-2022-42004. Severity: High (CVSS Base Score: 7.5)

This is another Jackson-databind deserialisation vulnerability, in which resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays.

Like CVE-2022-42003, JFrog gave it a lower severity rating than on the VVSS due to the difficulty in exploitation.

6. CVE-2022-3821. Severity: Medium (CVSS Base Score: 5.5)

This vulnerability is located in the system software suite in Debian. It was discovered that due to an off-by-one error in the format_timespan function in time-util.c, an attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a DoS.

The flaw has not been fixed in all Debian versions, but JFrog gave it a Low rating, because it is hard to exploit even for a DoS.


7. CVE-2022-1471. Severity: Critical (CVSS Base Score: 9.8)

Unpatched for an entire month following discovery in December 2022, this SnakeYAML vulnerability is very widespread since SnakeYAML is the number one YAML parser for Java. It was found that deserialising yaml content provided by an attacker can lead to remote code execution. Users are advised to upgrade to SnakeYaml version 2.0 and beyond to reduce the risk of exploitation.

JFrog concurred with the Critical rating on NVSS as it is highly likely SnakeYAML will be used to parse externally supplied YAML data.

8. CVE-2022-41854. Severity: Medium (CVSS Base Score: 6.5)

Another vulnerability found in SnakeYAML, this flaw is a stack exhaustion by a crafted YAML file containing a deeply nested YAML, that may lead to a DoS.

Unlike the Medium severity rating on the NVD, JFrog sees this flaw as a High threat, as the vulnerable scenario is very likely.

9. CVE-2022-38751. Severity: Medium (CVSS Base Score: 6.5)

With this vulnerability, attackers using SnakeYAML to parse untrusted YAML files may be vulnerable to DoS attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

JFrog rated this a more severe vulnerability than on the NVD, at High. One of the reasons for this is that it is highly likely SnakeYAML will be used to parse externally supplied YAML data.

10. CVE-2022-38750. Severity: Medium (CVSS Base Score 6.5)

As with the previous two vulnerabilities, this is a stack exhaustion that can lead to a DoS attack in SnakeYAML.

Again, JFrog has given this a High severity rating, unlike the Medium score assigned on the NVD.

Enjoy this article? Make sure to share it!

Looking for something else?