Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1395 — Vulnerability Class 34

34 vulnerabilities classified as CWE-1395. AI Chinese analysis included.

CWE-1395 represents a critical architectural weakness where software relies on third-party components containing known vulnerabilities. This flaw typically arises when developers integrate external libraries, modules, or intellectual property without thoroughly vetting their security posture. Attackers exploit this dependency by targeting the specific vulnerabilities within the third-party code, using them as a foothold to compromise the entire application. Since the vulnerable component is often deeply integrated, exploiting it can lead to remote code execution, data breaches, or system takeover. To mitigate this risk, developers must implement rigorous supply chain security practices, including continuous monitoring for security advisories, automated vulnerability scanning of dependencies, and timely patching. Additionally, maintaining an accurate bill of materials and restricting the use of outdated or unmaintained libraries are essential strategies for minimizing exposure to these indirect attack vectors.

MITRE CWE Description
The product has a dependency on a third-party component that contains one or more known vulnerabilities. Many products are large enough or complex enough that part of their functionality uses libraries, modules, or other intellectual property developed by third parties who are not the product creator. For example, even an entire operating system might be from a third-party supplier in some hardware products. Whether open or closed source, these components may contain publicly known vulnerabilities or hidden functionality such as malware that could be exploited by adversaries to compromise the product.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityVaries by Context
The consequences vary widely, depending on the vulnerabilities that exist in the component; how those vulnerabilities can be "reached" by adversaries, as the exploitation paths and attack surface will vary depending on how the component is used; and the criticality of the privilege levels and featur…
Mitigations (5)
Requirements, PolicyIn some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are di…
RequirementsRequire a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
Architecture and Design, Implementation, Integration, ManufacturingMaintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Operation, Patching and MaintenanceActively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
Operation, Patching and MaintenanceContinuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
Examples (2)
The "SweynTooth" vulnerabilities in Bluetooth Low Energy (BLE) software development kits (SDK) were found to affect multiple Bluetooth System-on-Chip (SoC) manufacturers. These SoCs were used by many products such as medical devices, Smart Home devices, wearables, and other IoT devices. [REF-1314] [REF-1315]
log4j, a Java-based logging framework, is used in a large number of products, with estimates in the range of 3 billion affected devices [REF-1317]. When the "log4shell" (CVE-2021-44228) vulnerability was initially announced, it was actively exploited for remote code execution, requiring urgent mitigation in many organizations. However, it was unclear how many products were affected, as Log4j would…
CVE IDTitleCVSSSeverityPublished
CVE-2024-5246 NETGEAR ProSAFE Network Management System Tomcat Remote Code Execution Vulnerability — ProSAFE Network Management System 8.8AIHighAI2024-05-23
CVE-2024-21421 Azure SDK Spoofing Vulnerability — Azure SDK 7.5 High2024-03-12
CVE-2024-0552 Intumit inc. SmartRobot - Remote Code Execution — SmartRobot 9.8 Critical2024-01-15
CVE-2023-5332 Dependency on Vulnerable Third-Party Component in GitLab — GitLab 5.9 Medium2023-12-04

Vulnerabilities classified as CWE-1395 represent 34 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.