The Similarities of Software Vulnerabilities for Interpreted Programming Languages

Abstract

This short paper examines the similarities and differences of software vulnerabilities reported for interpreted programming languages. Based on a sample of vulnerabilities from four software repositories (Maven, npm, PyPI, and RubyGems), the Common Vulnerability Scoring System (CVSS) and the Common Weakness Enumeration (CWE) are used for comparing the vulnerabilities across the repositories. According to the results, (i) the severity of the vulnerabilities is similar across the repositories; the median CVSS v.3 base scores are around seven. Similarity can be observed also in terms of the weaknesses underneath the vulnerabilities. In particular, (ii) cross-site scripting and input validation have been the most typical weaknesses across all four repositories. The same applies to path-traversal bugs, unauthorized accesses, and resource management bugs. With these observations, the paper contributes to the recent active research on language-specific software repositories.