Skip to main content

Use of software with known vulnerabilities in development

Description

The system uses the version of a software or dependency with known vulnerabilities in pre-productive environments.

Impact

Exploit public vulnerabilities of the components in the affected environments.

Recommendation

  • Update the affected software to the versions recommended by the vendor.
  • Replace deprecated components or components with Zero-Day vulnerabilities.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: L

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
  • Score:
    • Base: 5.0
    • Temporal: 4.5
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

Search for known vulnerabilities of any dependencies used on the code, replace them for safer alternatives

{
"name": "test",
"version": "1.0.0",
"description": "nothing",
"main": "index.js",
"author": "Luis Saavedra",
"license": "MIT",
"private": false,
"dependencies": {
"@angular/core": "^13.3.3",
"cloudron-sysadmin": "1.0.0",
},
}

Non compliant code

Example importing a dependency with known vulnerabilities such as xmldom

{
"name": "test",
"version": "1.0.0",
"description": "nothing",
"main": "index.js",
"author": "Luis Saavedra",
"license": "MIT",
"private": false,
"dependencies": {
"@angular/core": "^13.3.3",
"cloudron-sysadmin": "1.0.0",
"script-manager": "0.8.6",
"slug": "0.9.0"
},
"devDependencies": {
"xmldom": "0.4.0"
}
}

Requirements