The total number of vulnerabilities found in the world’s most popular open-source software (OSS) doubled in the past year, according to a new report from risk-based vulnerability management firm RiskSense.
Based on the analysis of OSS vulnerabilities used in almost 96 percent of commercial databases, the report states that the quantity of flaws hit 968 in 2019, up from only 421 the previous year.
The report also claims it takes too long for flaws to be added to the National Vulnerability Database, with an average time of 54 days between public disclosure and entry into the database. This means businesses are placed at “serious application security risks” for almost two months.
To make matters worse, the process is never expedited, even if a vulnerability is deemed "critical”.
“While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blind spot for many organisations,” said Srinivas Mukkamala, CEO of RiskSense.
“Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences.”
According to the report, the Jenkins automation server exhibited the most CVEs overall, with 646 instances, followed by MySQL with 624. The pair were also linked to some of the most weaponised vulnerabilities.