CWE-1395: Dependency on Vulnerable Third-Party Component
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product has a dependency on a third-party component that contains one or more known vulnerabilities.
常见后果
影响范围: Confidentiality Integrity Availability
技术影响: Varies by Context
说明: The consequences vary widely, depending on the vulnerabilities that exist in the component; how those vulnerabilities can be "reached" by adversaries, as the exploitation paths and attack surface will vary depending on how the component is used; and the criticality of the privilege levels and features for which the product relies on the component.
潜在缓解措施
阶段: Requirements Policy
描述: In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
阶段: Requirements
描述: Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
阶段: Architecture and Design Implementation Integration Manufacturing
描述: Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
阶段: Operation Patching and Maintenance
描述: Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
阶段: Operation Patching and Maintenance
描述: Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
检测方法
方法: Automated Analysis
For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWASP Dependency-Check [REF-1312]. Many languages or frameworks have package managers with similar capabilities, such as npm audit for JavaScript, pip-audit for Python, govulncheck for Go, and many others. Dynamic methods can detect loading of third-party components.
有效性: High
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | The product architect or designer might choose a component that is already known to contain vulnerabilities or has a high likelihood of containing vulnerabilities in the future. |
| Implementation | For reasons of compatibility or stability, developers might choose a third-party component, such as a library, that is already known to contain vulnerabilities. |
| Patching and Maintenance | Since all products contain vulnerabilities, over time, a third-party component will be discovered to have a vulnerability. |
适用平台
编程语言
操作系统
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| ISA/IEC 62443 | Part 4-2 | Req CR 2.4 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 6.2 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 7.2 | - |
| ISA/IEC 62443 | Part 4-1 | Req SM-9 | - |
| ISA/IEC 62443 | Part 4-1 | Req SM-10 | - |
| ISA/IEC 62443 | Part 4-1 | Req SR-2 | - |
| ISA/IEC 62443 | Part 4-1 | Req DM-1 | - |
| ISA/IEC 62443 | Part 4-1 | Req DM-3 | - |
| ISA/IEC 62443 | Part 4-1 | Req DM-4 | - |
| ISA/IEC 62443 | Part 4-1 | Req SVV-1 | - |
| ISA/IEC 62443 | Part 4-1 | Req SVV-3 | - |