Top 10: Most Common Open-Source Vulnerabilities

This vulnerability is an out-of-bounds read/write vulnerability found in e2fsprogs 1.46.5. It is a widespread issue as it was not fixed in all Debian versions – buster, bullseye and stretch. The flaw can lead to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.

Assigning it a Low rating, JFrog noted that it is only possible to cause a massive buffer overflow with a negative integer value, which leads to a DoS attack, but won’t lead to code execution. Additionally, the attack must be performed locally.

This vulnerability affects the Jackson library, which is the number one ranked JSON parser for Java. The issue is in ObjectMapper, which is responsible for serialisation and deserialisation from various data formats. It is likely to be exploited in vulnerable configurations since a public exploit exists.

JFrog has given this vulnerability a Medium severity rating as there is a moderate risk it was cause a DoS impact on library usage. However, exploitation is very difficult because it requires that Jackson be initialised with a non-default value.

This is another Jackson-databind deserialisation vulnerability, in which resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays.

Like CVE-2022-42003, JFrog gave it a lower severity rating than on the VVSS due to the difficulty in exploitation.

This vulnerability is located in the system software suite in Debian. It was discovered that due to an off-by-one error in the format_timespan function in time-util.c, an attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a DoS.

The flaw has not been fixed in all Debian versions, but JFrog gave it a Low rating, because it is hard to exploit even for a DoS.

Unpatched for an entire month following discovery in December 2022, this SnakeYAML vulnerability is very widespread since SnakeYAML is the number one YAML parser for Java. It was found that deserialising yaml content provided by an attacker can lead to remote code execution. Users are advised to upgrade to SnakeYaml version 2.0 and beyond to reduce the risk of exploitation.

JFrog concurred with the Critical rating on NVSS as it is highly likely SnakeYAML will be used to parse externally supplied YAML data.

Another vulnerability found in SnakeYAML, this flaw is a stack exhaustion by a crafted YAML file containing a deeply nested YAML, that may lead to a DoS.

Unlike the Medium severity rating on the NVD, JFrog sees this flaw as a High threat, as the vulnerable scenario is very likely.

With this vulnerability, attackers using SnakeYAML to parse untrusted YAML files may be vulnerable to DoS attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

JFrog rated this a more severe vulnerability than on the NVD, at High. One of the reasons for this is that it is highly likely SnakeYAML will be used to parse externally supplied YAML data.

As with the previous two vulnerabilities, this is a stack exhaustion that can lead to a DoS attack in SnakeYAML.

Again, JFrog has given this a High severity rating, unlike the Medium score assigned on the NVD.