目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-1395 类漏洞列表 34

CWE-1395 类弱点 34 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-1395 指软件依赖包含已知漏洞的第三方组件。攻击者常利用这些已知缺陷,通过注入恶意代码或触发远程执行,从而绕过应用防护并控制目标系统。开发者应建立严格的供应链安全机制,定期扫描依赖项以识别风险,及时更新或替换存在漏洞的库,并最小化引入的外部组件数量,从而有效降低因第三方代码缺陷导致的安全风险。

MITRE CWE 官方描述
CWE:CWE-1395 依赖易受攻击的第三方组件 (Dependency on Vulnerable Third-Party Component) 英文:该产品依赖一个包含一个或多个已知漏洞的第三方组件。 许多产品足够庞大或复杂,以至于其部分功能使用了由非产品创建者的第三方开发的库、模块或其他知识产权。例如,在某些硬件产品中,甚至整个操作系统可能都来自第三方供应商。无论这些组件是开源还是闭源,它们都可能包含公开已知的漏洞或隐藏的功能(如恶意软件),从而可能被对手利用以破坏该产品。
常见影响 (1)
Confidentiality, Integrity, AvailabilityVaries by Context
The consequences vary widely, depending on the vulnerabilities that exist in the component; how those vulnerabilities can be "reached" by adversaries, as the exploitation paths and attack surface will vary depending on how the component is used; and the criticality of the privilege levels and featur…
缓解措施 (5)
Requirements, PolicyIn some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are di…
RequirementsRequire a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
Architecture and Design, Implementation, Integration, ManufacturingMaintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Operation, Patching and MaintenanceActively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
Operation, Patching and MaintenanceContinuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
代码示例 (2)
The "SweynTooth" vulnerabilities in Bluetooth Low Energy (BLE) software development kits (SDK) were found to affect multiple Bluetooth System-on-Chip (SoC) manufacturers. These SoCs were used by many products such as medical devices, Smart Home devices, wearables, and other IoT devices. [REF-1314] [REF-1315]
log4j, a Java-based logging framework, is used in a large number of products, with estimates in the range of 3 billion affected devices [REF-1317]. When the "log4shell" (CVE-2021-44228) vulnerability was initially announced, it was actively exploited for remote code execution, requiring urgent mitigation in many organizations. However, it was unclear how many products were affected, as Log4j would…
CVE ID标题CVSS风险等级Published
CVE-2025-59851 HCL DFXAnalytics 不安全的安全头配置漏洞 — DFXAnalytics 3.7 Low2026-05-06
CVE-2025-15638 Net::Dropbear 安全漏洞 — Net::Dropbear 9.8AICriticalAI2026-04-21
CVE-2024-14031 Sereal::Encoder 安全漏洞 — Sereal::Encoder 8.1AIHighAI2026-03-31
CVE-2024-14030 Sereal::Decoder 安全漏洞 — Sereal::Decoder 8.1AIHighAI2026-03-31
CVE-2026-4176 Perl 安全漏洞 — perl 9.8 -2026-03-29
CVE-2026-23654 Microsoft GitHub Repo: Zero Shot scFoundation 安全漏洞 — GitHub Repo: Zero Shot scFoundation 8.8 High2026-03-10
CVE-2026-3257 unqlite 安全漏洞 — UnQLite 9.8 -2026-03-05
CVE-2026-3381 zlib 安全漏洞 — Compress::Raw::Zlib 9.8 -2026-03-05
CVE-2026-0943 MetaCPAN HarfBuzz::Shaper 安全漏洞 — HarfBuzz::Shaper 6.5AIMediumAI2026-01-19
CVE-2025-69275 Broadcom DX NetOps Spectrum 安全漏洞 — DX NetOps Spectrum 6.1AIMediumAI2026-01-12
CVE-2025-15444 libsodium 安全漏洞 — Crypt::Sodium::XS 8.1 -2026-01-06
CVE-2025-13823 Rockwell Automation多款产品 安全漏洞 — Micro820®, Micro850®, Micro870® 7.5AIHighAI2025-12-15
CVE-2025-12220 Azure Access Technology BLU-IC2和Azure Access Technology BLU-IC4 安全漏洞 — BLU-IC2 9.8 -2025-10-25
CVE-2025-12219 Azure Access Technology BLU-IC2和Azure Access Technology BLU-IC4 安全漏洞 — BLU-IC2 8.8 -2025-10-25
CVE-2025-34203 Vasion Print和Vasion Print Virtual Appliance Host 安全漏洞 — Print Virtual Appliance Host 10.0 -2025-09-19
CVE-2025-10226 AxxonSoft AxxonOne 安全漏洞 — AxxonOne C-Werk 9.8 Critical2025-09-10
CVE-2025-42927 SAP NetWeaver AS Java 安全漏洞 — SAP NetWeaver AS Java (Adobe Document Service) 3.4 Low2025-09-09
CVE-2025-40913 MetaCPAN Net::Dropbear 安全漏洞 — Net::Dropbear 9.8AICriticalAI2025-07-16
CVE-2024-26293 Avid多款产品 安全漏洞 — Avid NEXIS E-series 9.8AICriticalAI2025-07-14
CVE-2022-4976 Archive::Unzip::Burst 安全漏洞 — Archive::Unzip::Burst 8.8AIHighAI2025-06-12
CVE-2025-40912 Perl CryptX 安全漏洞 — CryptX 9.8AICriticalAI2025-06-11
CVE-2025-40914 Perl CryptX 安全漏洞 — CryptX 9.8AICriticalAI2025-06-11
CVE-2020-36846 MetaCPAN IO::Compress::Brotli 安全漏洞 — IO::Compress::Brotli 7.5AIHighAI2025-05-30
CVE-2025-40906 MetaCPAN BSON::XS 安全漏洞 — BSON::XS 9.8AICriticalAI2025-05-16
CVE-2025-40907 fcgi2 安全漏洞 — FCGI 9.8AICriticalAI2025-05-16
CVE-2024-12740 NI Vision 安全漏洞 — Vision Development Module 7.8 High2025-01-27
CVE-2024-11948 GFI Archiver 安全漏洞 — Archiver 9.8 -2024-12-11
CVE-2024-6121 NI SystemLink Server 安全漏洞 — SystemLink Server 7.8 High2024-07-22
CVE-2024-32753 Johnson Controls Illustra Pro Gen 4 安全漏洞 — TYCO Illustra Pro4 Fixed cameras 9.1AICriticalAI2024-07-11
CVE-2024-38526 pdoc 安全漏洞 — pdoc-High2024-06-25

CWE-1395 是常见的弱点类别,本平台收录该类弱点关联的 34 条 CVE 漏洞。