Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1357 — Vulnerability Class 4

4 vulnerabilities classified as CWE-1357. AI Chinese analysis included.

CWE-1357 represents a structural weakness where software or hardware systems integrate components lacking adequate security, reliability, or maintainability standards. This flaw typically arises when developers incorporate third-party libraries, open-source modules, or legacy hardware without verifying their trustworthiness or update mechanisms. Attackers exploit this by targeting the weak component to gain unauthorized access, cause system instability, or introduce malicious code that propagates through the larger integrated entity. To mitigate this risk, developers must implement rigorous supply chain security practices, including thorough vendor vetting, continuous monitoring for vulnerabilities, and enforcing strict version control policies. By ensuring all integrated parts meet established security baselines and receive regular updates, organizations can prevent compromised components from undermining the integrity of the entire system.

MITRE CWE Description
The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability. Many modern hardware and software products are built by combining multiple smaller components together into one larger entity, often during the design or architecture phase. For example, a hardware component might be built by a separate supplier, or the product might use an open-source software library from a third party. Regardless of the source, each component should be sufficiently trusted to ensure correct, secure operation of the product. If a component is not trustworthy, it can produce significant risks for the overall product, such as vulnerabilities that cannot be patched fast enough (if at all); hidden functionality such as malware; inability to update or replace the component if needed for security purposes; hardware components built from parts that do not meet specifications in ways that can lead to weaknesses; etc. Note that a component might not be trustworthy even if it is owned by the product vendor, such as a software component whose source code is lost and was built by developers who left the company, or a component that was developed by a separate company that was acquired and brought into the product's own company. Note that there can be disagreement as to whether a component is sufficiently trustworthy, since trust is ultimately subjective. Different stakeholde…
Common Consequences (1)
OtherReduce Maintainability
Mitigations (3)
Requirements, Architecture and Design, ImplementationFor each component, ensure that its supply chain is well-controlled with sub-tier suppliers using best practices. For third-party software components such as libraries, ensure that they are developed and actively maintained by reputable vendors.
Architecture and Design, Implementation, Integration, ManufacturingMaintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Operation, Patching and MaintenanceContinue to monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, supplier practices that affect trustworthiness, etc.
Examples (1)
A refrigerator has an Internet interface for the official purpose of alerting the manufacturer when that refrigerator detects a fault. Because the device is attached to the Internet, the refrigerator is a target for hackers who may wish to use the device other potentially more nefarious purposes.
The refrigerator has no means of patching and is hacked, becoming a spewer of email spam.
Bad · Other
The device automatically patches itself and provides considerable more protection against being hacked.
Good · Other
CVE IDTitleCVSSSeverityPublished
CVE-2025-32800 Conda-build vulnerable to supply chain attack vector due to pyproject.toml referring to dependencies not present in PyPI — conda-build 9.8AICriticalAI2025-06-16
CVE-2024-26024 SUBNET Substation Server Reliance on Insufficiently Trustworthy Component — Substation Server 8.4 High2024-05-28
CVE-2024-28042 SUBNET PowerSYSTEM Center Reliance on Insufficiently Trustworthy Component — PowerSYSTEM Center 8.4 High2024-05-15
CVE-2024-3313 SUBNET PowerSYSTEM Server and Substation Server Reliance on Insufficiently Trustworthy Component — PowerSYSTEM Server 8.4 High2024-04-09

Vulnerabilities classified as CWE-1357 represent 4 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.