Use of software with known vulnerabilities in development
Description
The system uses the version of a software or dependency with known vulnerabilities in pre-productive environments.
Impact
Exploit public vulnerabilities of the components in the affected environments.
Recommendation
- Update the affected software to the versions recommended by the vendor.
- Replace deprecated components or components with Zero-Day vulnerabilities.
Threat
Authenticated attacker from the Internet.
Expected Remediation Time
⌚ 60 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: N
- Attack complexity: H
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: L
- Integrity: L
- Availability: L
Temporal
- Exploit code madurity: P
- Remediation level: O
- Report confidence: C
Result
- Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
- Score:
- Base: 5.0
- Temporal: 4.5
- Severity:
- Base: Medium
- Temporal: Medium
Code Examples
Compliant code
Search for known vulnerabilities of any dependencies used on the code, replace them for safer alternatives
{
"name": "test",
"version": "1.0.0",
"description": "nothing",
"main": "index.js",
"author": "Luis Saavedra",
"license": "MIT",
"private": false,
"dependencies": {
"@angular/core": "^13.3.3",
"cloudron-sysadmin": "1.0.0",
},
}
Non compliant code
Example importing a dependency with known vulnerabilities such as xmldom
{
"name": "test",
"version": "1.0.0",
"description": "nothing",
"main": "index.js",
"author": "Luis Saavedra",
"license": "MIT",
"private": false,
"dependencies": {
"@angular/core": "^13.3.3",
"cloudron-sysadmin": "1.0.0",
"script-manager": "0.8.6",
"slug": "0.9.0"
},
"devDependencies": {
"xmldom": "0.4.0"
}
}