Use of software with known vulnerabilities
Description
The system uses the version of a software or dependency with known vulnerabilities.
Impact
Exploit found vulnerabilities in the affected components.
Recommendation
Update the affected software to the versions recommended by the vendor.
Threat
Authenticated attacker from the Internet.
Expected Remediation Time
⌚ 60 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: N
- Attack complexity: H
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: L
- Integrity: L
- Availability: L
Temporal
- Exploit code madurity: P
- Remediation level: O
- Report confidence: C
Result
- Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
- Score:
- Base: 5.0
- Temporal: 4.5
- Severity:
- Base: Medium
- Temporal: Medium
Code Examples
Compliant code
Search for known vulnerabilities of any dependencies used on the code, replace them for safer alternatives
{
"name": "test",
"version": "1.0.0",
"description": "nothing",
"main": "index.js",
"author": "Luis Saavedra",
"license": "MIT",
"private": false,
"dependencies": {
"@angular/core": "^13.3.3",
"cloudron-sysadmin": "1.0.0",
},
}
Non compliant code
Example importing dependencies with known vulnerabilities
{
"name": "test",
"version": "1.0.0",
"description": "nothing",
"main": "index.js",
"author": "Luis Saavedra",
"license": "MIT",
"private": false,
"dependencies": {
"@angular/core": "^13.3.3",
"cloudron-sysadmin": "1.0.0",
"script-manager": "0.8.6",
"slug": "0.9.0"
},
"devDependencies": {
"xmldom": "0.4.0"
}
}
dependencies {
compile "io.springfox:springfox-swagger-ui:2.6.1"
compile("io.springfox:springfox-swagger-ui")
compile(group: 'javax.mail', name: 'mail')
compileOnly group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.13.2'
implementation group: 'org.json', name: 'json', version: '20160810'
implementation(group: 'javax.mail', name: 'mail', version: '1.4')
}
Examples using software with known vulnerabilities
using System;
class ExampleClass{
public void ExampleMethod(){
//Is the URI is tainted, it may lead to parsing of a malicious XML schema
XmlSchemaCollection xsc = new XmlSchemaCollection();
xsc.Add("urn: bookstore - schema", "books.xsd");
}
}
using System;
using System;
using System.Xml;
using System.Xml.XPath;
using System.Xml.Xsl;
namespace TestForXslTransform{
class Program{
static void Main(string[] args){
XslTransform xslt = new XslTransform();
xslt.Load("https://server/favorite.xsl");
XPathDocument mydata = new XPathDocument("inputdata.xml");
XmlWriter writer = new XmlTextWriter(Console.Out);
xslt.Transform(mydata, null, writer, null);
}
}
}
Requirements
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.