Use of software with known vulnerabilities
Description
The system uses the version of a software or dependency with known vulnerabilities.
Impact
Exploit found vulnerabilities in the affected components.
Recommendation
Update the affected software to the versions recommended by the vendor.
Threat
Authenticated attacker from the Internet.
Expected Remediation Time
⌚ 60 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: N
- Attack complexity: H
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: L
- Integrity: L
- Availability: L
Temporal
- Exploit code madurity: P
- Remediation level: O
- Report confidence: C
Result
- Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
- Score:
- Base: 5.0
- Temporal: 4.5
- Severity:
- Base: Medium
- Temporal: Medium
Code Examples
Compliant code
Search for known vulnerabilities of any dependencies used on the code, replace them for safer alternatives
{
"name": "test",
"version": "1.0.0",
"description": "nothing",
"main": "index.js",
"author": "Luis Saavedra",
"license": "MIT",
"private": false,
"dependencies": {
"@angular/core": "^13.3.3",
"cloudron-sysadmin": "1.0.0",
},
}
Non compliant code
Example importing dependencies with known vulnerabilities
{
"name": "test",
"version": "1.0.0",
"description": "nothing",
"main": "index.js",
"author": "Luis Saavedra",
"license": "MIT",
"private": false,
"dependencies": {
"@angular/core": "^13.3.3",
"cloudron-sysadmin": "1.0.0",
"script-manager": "0.8.6",
"slug": "0.9.0"
},
"devDependencies": {
"xmldom": "0.4.0"
}
}
dependencies {
compile "io.springfox:springfox-swagger-ui:2.6.1"
compile("io.springfox:springfox-swagger-ui")
compile(group: 'javax.mail', name: 'mail')
compileOnly group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.13.2'
implementation group: 'org.json', name: 'json', version: '20160810'
implementation(group: 'javax.mail', name: 'mail', version: '1.4')
}
Examples using software with known vulnerabilities
using System;
class ExampleClass{
public void ExampleMethod(){
//Is the URI is tainted, it may lead to parsing of a malicious XML schema
XmlSchemaCollection xsc = new XmlSchemaCollection();
xsc.Add("urn: bookstore - schema", "books.xsd");
}
}
using System;
using System;
using System.Xml;
using System.Xml.XPath;
using System.Xml.Xsl;
namespace TestForXslTransform{
class Program{
static void Main(string[] args){
XslTransform xslt = new XslTransform();
xslt.Load("https://server/favorite.xsl");
XPathDocument mydata = new XPathDocument("inputdata.xml");
XmlWriter writer = new XmlTextWriter(Console.Out);
xslt.Transform(mydata, null, writer, null);
}
}
}