Skip to main content

Use of software with known vulnerabilities

Description

The system uses the version of a software or dependency with known vulnerabilities.

Impact

Exploit found vulnerabilities in the affected components.

Recommendation

Update the affected software to the versions recommended by the vendor.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: L

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
  • Score:
    • Base: 5.0
    • Temporal: 4.5
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

Search for known vulnerabilities of any dependencies used on the code, replace them for safer alternatives

{
  "name": "test",
  "version": "1.0.0",
  "description": "nothing",
  "main": "index.js",
  "author": "Luis Saavedra",
  "license": "MIT",
  "private": false,
  "dependencies": {
    "@angular/core": "^13.3.3",
    "cloudron-sysadmin": "1.0.0",
  },
}

Non compliant code

Example importing dependencies with known vulnerabilities

{
  "name": "test",
  "version": "1.0.0",
  "description": "nothing",
  "main": "index.js",
  "author": "Luis Saavedra",
  "license": "MIT",
  "private": false,
  "dependencies": {
    "@angular/core": "^13.3.3",
    "cloudron-sysadmin": "1.0.0",
    "script-manager": "0.8.6",
    "slug": "0.9.0"
  },
  "devDependencies": {
    "xmldom": "0.4.0"
  }
}
dependencies {
  compile "io.springfox:springfox-swagger-ui:2.6.1"
  compile("io.springfox:springfox-swagger-ui")
  compile(group: 'javax.mail', name: 'mail')
  compileOnly group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.13.2'
  implementation group: 'org.json', name: 'json', version: '20160810'
  implementation(group: 'javax.mail', name: 'mail', version: '1.4')
}

Examples using software with known vulnerabilities

using System;
class ExampleClass{
  public void ExampleMethod(){
    //Is the URI is tainted, it may lead to parsing of a malicious XML schema
    XmlSchemaCollection xsc = new XmlSchemaCollection();
    xsc.Add("urn: bookstore - schema", "books.xsd");
  }
}
using System;
using System;
using System.Xml;
using System.Xml.XPath;
using System.Xml.Xsl;

namespace TestForXslTransform{
  class Program{
    static void Main(string[] args){
      XslTransform xslt = new XslTransform();
      xslt.Load("https://server/favorite.xsl");
      XPathDocument mydata = new XPathDocument("inputdata.xml");
      XmlWriter writer = new XmlTextWriter(Console.Out);
      xslt.Transform(mydata, null, writer, null);
    }
  }
}

Requirements