Common Weakness Enumeration

CWE-1395

Allowed-with-Review

Dependency on Vulnerable Third-Party Component

Abstraction: Class · Status: Incomplete

The product has a dependency on a third-party component that contains one or more known vulnerabilities.

110 vulnerabilities reference this CWE, most recent first.

GHSA-3HFP-GQGH-XC5G

Vulnerability from github – Published: 2026-04-02 18:36 – Updated: 2026-04-02 18:36
VLAI
Summary
Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions
Details

Impact

A supply chain attack on the axios npm package (versions 1.14.1 and 0.30.4) introduced a malicious transitive dependency (plain-crypto-js@4.2.1) that deploys a cross-platform remote access trojan (RAT) on macOS, Windows, and Linux. The attacker compromised the primary axios maintainer's npm account to publish the malicious versions.

The malicious versions were live on npm for approximately 3 hours (00:21 UTC to 03:29 UTC on March 31, 2026) before being removed.

The @lightdash/cli package specified axios as a dependency with a semver range (^1.12.0) that permitted resolution to the compromised version. Any user who performed a fresh install of @lightdash/cli versions >= 0.1800.0, < 0.2695.1 (without a pre-existing lockfile) during this window may have installed the malicious axios version.

If compromised, the RAT establishes a connection to a command-and-control server (sfrclak[.]com / 142.11.206.73:8000) and provides the attacker with shell access, file system enumeration, and the ability to execute arbitrary commands. All credentials, secrets, and tokens accessible from the affected machine should be considered compromised.

Lightdash Cloud is not affected.

Patches

This has been patched in @lightdash/cli@0.2695.1. The fix pins axios to a known safe version (1.14.0).

Users should upgrade immediately:

npm install -g @lightdash/cli@0.2695.1

If users had installed the compromised version, they should check for RAT artifacts before and after upgrading:

  • macOS: /Library/Caches/com.apple.act.mond
  • Windows: %PROGRAMDATA%\wt.exe
  • Linux: /tmp/ld.py

If any artifacts are found, assume full compromise of that machine and rotate all accessible credentials (warehouse credentials, API tokens, SSH keys, cloud provider credentials, environment variables).

Workarounds

If users cannot upgrade immediately, they can force a safe axios resolution after installing the CLI:

npm install -g axios@1.14.0 --force

Alternatively, if users are building a Docker image or using a lockfile, they should ensure their resolved axios version is not 1.14.1 or 0.30.4:

npm ls axios

Block egress traffic to sfrclak[.]com and 142.11.206.73 at the network level to prevent the RAT from reaching its command-and-control server.

Resources

  • Upstream axios issue: https://github.com/axios/axios/issues/10604
  • StepSecurity analysis: https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
  • Socket analysis: https://socket.dev/blog/axios-npm-package-compromised
  • Snyk advisory (axios): https://security.snyk.io/vuln/SNYK-JS-AXIOS-15850650
  • Snyk advisory (plain-crypto-js): https://security.snyk.io/vuln/SNYK-JS-PLAINCRYPTOJS-15850652
  • The Hacker News coverage: https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@lightdash/cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1800.0"
            },
            {
              "fixed": "0.2695.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-508"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-02T18:36:10Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nA supply chain attack on the `axios` npm package (versions 1.14.1 and 0.30.4) introduced a malicious transitive dependency (`plain-crypto-js@4.2.1`) that deploys a cross-platform remote access trojan (RAT) on macOS, Windows, and Linux. The attacker compromised the primary axios maintainer\u0027s npm account to publish the malicious versions.\n\nThe malicious versions were live on npm for approximately 3 hours (00:21 UTC to 03:29 UTC on March 31, 2026) before being removed.\n\nThe `@lightdash/cli` package specified axios as a dependency with a semver range (`^1.12.0`) that permitted resolution to the compromised version. Any user who performed a fresh install of `@lightdash/cli` versions `\u003e= 0.1800.0, \u003c 0.2695.1` (without a pre-existing lockfile) during this window may have installed the malicious axios version.\n\nIf compromised, the RAT establishes a connection to a command-and-control server (`sfrclak[.]com` / `142.11.206.73:8000`) and provides the attacker with shell access, file system enumeration, and the ability to execute arbitrary commands. All credentials, secrets, and tokens accessible from the affected machine should be considered compromised.\n\nLightdash Cloud is not affected.\n\n### Patches\n\nThis has been patched in `@lightdash/cli@0.2695.1`. The fix pins axios to a known safe version (1.14.0).\n\nUsers should upgrade immediately:\n\n```\nnpm install -g @lightdash/cli@0.2695.1\n```\n\nIf users had installed the compromised version, they should check for RAT artifacts before and after upgrading:\n\n- macOS: `/Library/Caches/com.apple.act.mond`\n- Windows: `%PROGRAMDATA%\\wt.exe`\n- Linux: `/tmp/ld.py`\n\nIf any artifacts are found, assume full compromise of that machine and rotate all accessible credentials (warehouse credentials, API tokens, SSH keys, cloud provider credentials, environment variables).\n\n### Workarounds\n\nIf users cannot upgrade immediately, they can force a safe axios resolution after installing the CLI:\n\n```\nnpm install -g axios@1.14.0 --force\n```\n\nAlternatively, if users are building a Docker image or using a lockfile, they should ensure their resolved axios version is not 1.14.1 or 0.30.4:\n\n```\nnpm ls axios\n```\n\nBlock egress traffic to `sfrclak[.]com` and `142.11.206.73` at the network level to prevent the RAT from reaching its command-and-control server.\n\n### Resources\n\n- Upstream axios issue: https://github.com/axios/axios/issues/10604\n- StepSecurity analysis: https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan\n- Socket analysis: https://socket.dev/blog/axios-npm-package-compromised\n- Snyk advisory (axios): https://security.snyk.io/vuln/SNYK-JS-AXIOS-15850650\n- Snyk advisory (plain-crypto-js): https://security.snyk.io/vuln/SNYK-JS-PLAINCRYPTOJS-15850652\n- The Hacker News coverage: https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html",
  "id": "GHSA-3hfp-gqgh-xc5g",
  "modified": "2026-04-02T18:36:10Z",
  "published": "2026-04-02T18:36:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lightdash/lightdash/security/advisories/GHSA-3hfp-gqgh-xc5g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/issues/10604"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-fw8c-xr5c-95f9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lightdash/lightdash"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-AXIOS-15850650"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-PLAINCRYPTOJS-15850652"
    },
    {
      "type": "WEB",
      "url": "https://socket.dev/blog/axios-npm-package-compromised"
    },
    {
      "type": "WEB",
      "url": "https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html"
    },
    {
      "type": "WEB",
      "url": "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions"
}

GHSA-3VPC-4P9P-47HC

Vulnerability from github – Published: 2024-10-22 18:15 – Updated: 2024-10-22 18:15
VLAI
Summary
curl_cffi bundles a version of libcurl affected by High Severity vulnerability
Details

Summary

curl_cffi is potentially affected by High Severity vulnerability (CVE-2023-38545) in libcurl<8.4.0

Details

HIGH severity vulnerability in curl and libcurl: announcement Details are still unknown, but seems it will be a major issue as it's advertised by curl devs as "probably the worst curl security flaw in a long time". A patched version (8.4.0) and details will be published around 06:00 UTC on October 11. curl_cffi wheels on PyPI ship with libcurl 7.84.0

PoC

https://inspector.pypi.io/project/curl-cffi/0.5.10b2/packages/56/ae/eb7d39ad234f1f44650b910757d5aa696feff413d327c8328223ce78cb76/curl_cffi-0.5.10b2-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl/curl_cffi/include/curl/curlver.h

Resolution

Versions after 0.7 bundles with libcurl>=8.5, which is not affected by this issue.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.6.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "curl-cffi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.0b6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-22T18:15:17Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\ncurl_cffi is potentially affected by High Severity vulnerability (CVE-2023-38545) in libcurl\u003c8.4.0\n\n### Details\nHIGH severity vulnerability in curl and libcurl: [announcement](https://github.com/curl/curl/discussions/12026#discussioncomment-7195548)\nDetails are still unknown, but seems it will be a major issue as it\u0027s advertised by curl devs as \"_probably the worst curl security flaw in a long time_\".\nA patched version (8.4.0) and details will be published around 06:00 UTC on October 11.\ncurl_cffi wheels on PyPI ship with libcurl 7.84.0\n\n### PoC\n[https://inspector.pypi.io/project/curl-cffi/0.5.10b2/packages/56/ae/eb7d39ad234f1f44650b910757d5aa696feff413d327c8328223ce78cb76/curl_cffi-0.5.10b2-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl/curl_cffi/include/curl/curlver.h](https://inspector.pypi.io/project/curl-cffi/0.5.10b2/packages/56/ae/eb7d39ad234f1f44650b910757d5aa696feff413d327c8328223ce78cb76/curl_cffi-0.5.10b2-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl/curl_cffi/include/curl/curlver.h)\n\n### Resolution\n\nVersions after 0.7 bundles with `libcurl\u003e=8.5`, which is not affected by this issue.\n",
  "id": "GHSA-3vpc-4p9p-47hc",
  "modified": "2024-10-22T18:15:17Z",
  "published": "2024-10-22T18:15:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-3vpc-4p9p-47hc"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-7xw9-w465-6x42"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lexiforest/curl_cffi"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "curl_cffi bundles a version of libcurl affected by High Severity vulnerability"
}

GHSA-46WH-3698-F2CX

Vulnerability from github – Published: 2026-03-29 15:37 – Updated: 2026-03-29 15:37
VLAI
Summary
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186)
Details

Summary

There is a potential vulnerability in Traefik due to its dependency on an affected version of gRPC-Go (CVE-2026-33186).

A remote, unauthenticated attacker can send gRPC requests with a malformed HTTP/2 :path pseudo-header omitting the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server routes such requests correctly, path-based authorization interceptors evaluate the raw non-canonical path and fail to match "deny" rules, allowing the request to bypass the policy entirely if a fallback "allow" rule is present.

Patches

  • https://github.com/traefik/traefik/releases/tag/v2.11.42
  • https://github.com/traefik/traefik/releases/tag/v3.6.12
  • https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3

For more information

If there are any questions or comments about this advisory, please open an issue.

Original Description ### Summary This CVE hits traefik until Version 3.6.11 and 2.11.41. gRPC-Go has an authorization bypass via missing leading slash in :path ### Details As described in https://github.com/advisories/GHSA-p77j-4mvh-x3m3 ### PoC Update library version in https://github.com/traefik/traefik/blob/67c64ed9b25fbb90f1086977a62827133a7aa01b/go.mod#L108 ### Impact Is described in https://github.com/advisories/GHSA-p77j-4mvh-x3m3
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.42"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-beta3"
            },
            {
              "fixed": "3.6.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0-ea.1"
            },
            {
              "fixed": "3.7.0-ea.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-29T15:37:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThere is a potential vulnerability in Traefik due to its dependency on an affected version of gRPC-Go (CVE-2026-33186).\n\nA remote, unauthenticated attacker can send gRPC requests with a malformed HTTP/2 `:path` pseudo-header omitting the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server routes such requests correctly, path-based authorization interceptors evaluate the raw non-canonical path and fail to match \"deny\" rules, allowing the request to bypass the policy entirely if a fallback \"allow\" rule is present.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.42\n- https://github.com/traefik/traefik/releases/tag/v3.6.12\n- https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3\n\n## For more information\n\nIf there are any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\n### Summary\nThis CVE hits traefik until Version 3.6.11 and 2.11.41.\ngRPC-Go has an authorization bypass via missing leading slash in :path\n### Details\nAs described in https://github.com/advisories/GHSA-p77j-4mvh-x3m3\n### PoC\nUpdate library version in \nhttps://github.com/traefik/traefik/blob/67c64ed9b25fbb90f1086977a62827133a7aa01b/go.mod#L108\n### Impact\nIs described in https://github.com/advisories/GHSA-p77j-4mvh-x3m3\n\n\u003c/details\u003e\n\n\n----------",
  "id": "GHSA-46wh-3698-f2cx",
  "modified": "2026-03-29T15:37:29Z",
  "published": "2026-03-29T15:37:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-46wh-3698-f2cx"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-p77j-4mvh-x3m3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/blob/67c64ed9b25fbb90f1086977a62827133a7aa01b/go.mod#L108"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.42"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186)"
}

GHSA-47H8-JMP3-9F28

Vulnerability from github – Published: 2024-12-19 15:14 – Updated: 2024-12-20 18:35
VLAI
Summary
pyrage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution
Details

pyrage uses the Rust age crate for its underlying operations, and age is vulnerable to GHSA-4fg7-vxc8-qx5w.

All details of GHSA-4fg7-vxc8-qx5w are relevant to pyrage for the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details.

Versions of pyrage before 1.2.0 lack plugin support and are therefore not affected.

An equivalent issue was fixed in the reference Go implementation of age, see advisory GHSA-32gq-x56h-299c.

Thanks to ⬡-49016 for reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyrage"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-56327"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-25",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-19T15:14:06Z",
    "nvd_published_at": "2024-12-19T23:15:07Z",
    "severity": "HIGH"
  },
  "details": "`pyrage` uses the Rust `age` crate for its underlying operations, and `age` is vulnerable to GHSA-4fg7-vxc8-qx5w.\n\nAll details of GHSA-4fg7-vxc8-qx5w are relevant to `pyrage` for the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details.\n\nVersions of `pyrage` before 1.2.0 lack plugin support and are therefore **not affected**.\n\nAn equivalent issue was fixed in [the reference Go implementation of age](https://github.com/FiloSottile/age), see advisory [GHSA-32gq-x56h-299c](https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c).\n\nThanks to \u2b21-49016 for reporting this issue.",
  "id": "GHSA-47h8-jmp3-9f28",
  "modified": "2024-12-20T18:35:12Z",
  "published": "2024-12-19T15:14:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w"
    },
    {
      "type": "WEB",
      "url": "https://github.com/woodruffw/pyrage/security/advisories/GHSA-47h8-jmp3-9f28"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56327"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-4fg7-vxc8-qx5w"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/woodruffw/pyrage"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "pyrage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution"
}

GHSA-52CW-PVQ9-9M5V

Vulnerability from github – Published: 2024-07-17 16:00 – Updated: 2024-07-22 16:54
VLAI
Summary
Silverstripe uses TinyMCE which allows svg files linked in object tags
Details

Impact

TinyMCE v6 has a configuration value convert_unsafe_embeds set to false which allows svg files containing javascript to be used in <object> or <embed> tags, which can be used as a vector for XSS attacks.

Note that <embed> tags are not allowed by default.

After patching the default value of convert_unsafe_embeds will be set to true. This means that <object> tags will be converted to iframes instead the next time the page is saved, which may break any pages that rely upon previously saved <object> tags. Developers can override this configuration if desired to revert to the original behaviour.

We reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS.

References:

  • https://www.silverstripe.org/download/security-releases/ss-2024-001
  • https://github.com/advisories/GHSA-5359-pvf2-pw78
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.2.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-17T16:00:48Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nTinyMCE v6 has a configuration value `convert_unsafe_embeds` set to `false` which allows svg files containing javascript to be used in `\u003cobject\u003e` or `\u003cembed\u003e` tags, which can be used as a vector for XSS attacks.\n\nNote that `\u003cembed\u003e` tags are not allowed by default.\n\nAfter patching the default value of `convert_unsafe_embeds` will be set to `true`. This means that `\u003cobject\u003e` tags will be converted to iframes instead the next time the page is saved, which may break any pages that rely upon previously saved `\u003cobject\u003e` tags. Developers can override this configuration if desired to revert to the original behaviour.\n\nWe reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS.\n\n### References:\n- https://www.silverstripe.org/download/security-releases/ss-2024-001\n- https://github.com/advisories/GHSA-5359-pvf2-pw78\n\n",
  "id": "GHSA-52cw-pvq9-9m5v",
  "modified": "2024-07-22T16:54:34Z",
  "published": "2024-07-17T16:00:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-52cw-pvq9-9m5v"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2024-001.yaml"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-5359-pvf2-pw78"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/silverstripe/silverstripe-framework"
    },
    {
      "type": "WEB",
      "url": "https://www.silverstripe.org/download/security-releases/ss-2024-001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Silverstripe uses TinyMCE which allows svg files linked in object tags"
}

GHSA-534C-HCR7-67JG

Vulnerability from github – Published: 2024-09-17 18:36 – Updated: 2024-11-14 17:45
VLAI
Summary
Kimai has an XXE Leading to Local File Read
Details

Summary

Kimai uses PHPSpreadsheet for importing and exporting invoices. Recently, a CVE was identified in PHPSpreadsheet, which could lead to an XXE vulnerability.

Details

Exploitation requires an Administrator account, allowing the upload of an XLSX template containing the payload. The vulnerability is triggered by the following code snippet:

// https://github.com/kimai/kimai/blob/b1903ba18359be16dd32ea9c40377c486498f082/src/Invoice/Renderer/AbstractSpreadsheetRenderer.php#L41
public function render(InvoiceDocument $document, InvoiceModel $model): Response
{
    $spreadsheet = IOFactory::load($document->getFilename());
    $worksheet = $spreadsheet->getActiveSheet();
    $entries = $model->getCalculator()->getEntries();
    $sheetReplacer = $model->toArray();
    $invoiceItemCount = \count($entries);
    if ($invoiceItemCount > 1) {
        $this->addTemplateRows($worksheet, $invoiceItemCount);
    }
}

The IOFactory::load function utilizes simplexml_load_string, which has previously been demonstrated to be vulnerable to XXE attacks.

While this is not directly an XXE in Kimai, it does however impact the latest stable version.

PoC

By uploading a malicious XLSX template, the payload will be triggered every time an invoice is generated.

<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "php://filter/......." > %xxe;]>.....

For a better a visibility, I will upload both a: - Malicious template sample for testing - An exported invoice, showing the contents of target file during the export.

Impact

Local File Read / RCE in edge cases where phar:// can be utilized with gadget chains .

export.xlsx sample_template.xlsx

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.20.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "kimai/kimai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.21.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-17T18:36:50Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nKimai uses [PHPSpreadsheet](https://github.com/PHPOffice/PhpSpreadsheet) for importing and exporting invoices. Recently, a [CVE](https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7) was identified in PHPSpreadsheet, which could lead to an XXE vulnerability.\n\n\n### Details\n\nExploitation requires an Administrator account, allowing the upload of an `XLSX` template containing the payload. The vulnerability is triggered by the following code snippet:\n\n```php\n// https://github.com/kimai/kimai/blob/b1903ba18359be16dd32ea9c40377c486498f082/src/Invoice/Renderer/AbstractSpreadsheetRenderer.php#L41\npublic function render(InvoiceDocument $document, InvoiceModel $model): Response\n{\n    $spreadsheet = IOFactory::load($document-\u003egetFilename());\n    $worksheet = $spreadsheet-\u003egetActiveSheet();\n    $entries = $model-\u003egetCalculator()-\u003egetEntries();\n    $sheetReplacer = $model-\u003etoArray();\n    $invoiceItemCount = \\count($entries);\n    if ($invoiceItemCount \u003e 1) {\n        $this-\u003eaddTemplateRows($worksheet, $invoiceItemCount);\n    }\n}\n```\n\nThe `IOFactory::load` function utilizes `simplexml_load_string`, which has previously been demonstrated to be vulnerable to XXE attacks.\n\nWhile this is not directly an XXE in Kimai, it does however impact the latest stable version.\n\n \n### PoC\n\nBy uploading a malicious `XLSX` template, the payload will be triggered every time an invoice is generated.\n\n```xml\n\u003c?xml version=\"1.0\" encoding=\u0027UTF-7\u0027 standalone=\"yes\"?\u003e\n+ADw-!DOCTYPE foo [ \u003c!ENTITY % xxe SYSTEM \"php://filter/.......\" \u003e %xxe;]\u003e.....\n```\n\nFor a better a visibility, I will upload both a:\n- Malicious template sample for testing \n- An exported invoice, showing the contents of target file during the export. \n\n### Impact\nLocal File Read / RCE in edge cases where `phar://` can be utilized with [gadget chains](https://github.com/ambionics/phpggc) . \n\n\n[export.xlsx](https://github.com/user-attachments/files/16803913/export.xlsx)\n[sample_template.xlsx](https://github.com/user-attachments/files/16803916/sample_template.xlsx)\n",
  "id": "GHSA-534c-hcr7-67jg",
  "modified": "2024-11-14T17:45:16Z",
  "published": "2024-09-17T18:36:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-534c-hcr7-67jg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/commit/3204dcb03e1003dba90178667a4667ce3edb87b5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kimai/kimai"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kimai has an XXE Leading to Local File Read"
}

GHSA-537C-GMF6-5CCF

Vulnerability from github – Published: 2026-06-15 20:12 – Updated: 2026-06-15 20:12
VLAI
Summary
Vulnerable OpenSSL included in cryptography wheels
Details

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptograph 48.01 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt.

If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cryptography"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.0"
            },
            {
              "fixed": "48.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-1395"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-15T20:12:27Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "pyca/cryptography\u0027s wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptograph 48.01 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt.\n\nIf you are building cryptography source (\"sdist\") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.",
  "id": "GHSA-537c-gmf6-5ccf",
  "modified": "2026-06-15T20:12:27Z",
  "published": "2026-06-15T20:12:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-537c-gmf6-5ccf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyca/cryptography"
    },
    {
      "type": "WEB",
      "url": "https://openssl-library.org/news/secadv/20260609.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vulnerable OpenSSL included in cryptography wheels"
}

GHSA-5423-JCJM-2GPV

Vulnerability from github – Published: 2025-04-18 19:35 – Updated: 2025-04-18 19:35
VLAI
Summary
Traefik affected by Go HTTP Request Smuggling Vulnerability
Details

Summary

net/http: request smuggling through invalid chunked data: The net/http package accepts data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling. [CVE-2025-22871] Vendor Affected Components: Go: 1.23.x < 1.23.8

More Details: CVE-2025-22871

Patches

  • https://github.com/traefik/traefik/releases/tag/v2.11.24
  • https://github.com/traefik/traefik/releases/tag/v3.3.6
  • https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.4.0-rc1"
            },
            {
              "fixed": "3.4.0-rc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.4.0-rc1"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-18T19:35:17Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nnet/http: request smuggling through invalid chunked data: The net/http package accepts data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling. [CVE-2025-22871] Vendor Affected Components: Go: 1.23.x \u003c 1.23.8\n\nMore Details: [CVE-2025-22871](https://nvd.nist.gov/vuln/detail/CVE-2025-22871)\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.24\n- https://github.com/traefik/traefik/releases/tag/v3.3.6\n- https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2",
  "id": "GHSA-5423-jcjm-2gpv",
  "modified": "2025-04-18T19:35:17Z",
  "published": "2025-04-18T19:35:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-5423-jcjm-2gpv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.24"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.3.6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Traefik affected by Go HTTP Request Smuggling Vulnerability"
}

GHSA-594F-3595-C47V

Vulnerability from github – Published: 2026-03-18 12:59 – Updated: 2026-03-18 12:59
VLAI
Summary
Terraform Provider for ArgoCD has possible exposure to GO-2026-4337 / CVE-2025-68121
Details

Summary

The terraform-provider-argocd might have been vulnerable to GO-2026-4337 / CVE-2025-68121 ("Unexpected session resumption in crypto/tls").

Details

See https://pkg.go.dev/vuln/GO-2026-4337 for the upstream vulnerability.

Provider versions starting with v7.15.1 are using go 1.25.8 for building and are thus no longer affected.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj-labs/terraform-provider-argocd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.3-0.20260316182343-b3364f3f32e7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T12:59:01Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe terraform-provider-argocd might have been vulnerable to GO-2026-4337 / CVE-2025-68121 (\"Unexpected session resumption in crypto/tls\").\n\n### Details\n\nSee https://pkg.go.dev/vuln/GO-2026-4337 for the upstream vulnerability.\n\nProvider versions starting with `v7.15.1` are using `go 1.25.8` for building and are thus no longer affected.",
  "id": "GHSA-594f-3595-c47v",
  "modified": "2026-03-18T12:59:01Z",
  "published": "2026-03-18T12:59:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj-labs/terraform-provider-argocd/security/advisories/GHSA-594f-3595-c47v"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj-labs/terraform-provider-argocd/commit/b3364f3f32e70f1563c5f3162d370db704430294"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj-labs/terraform-provider-argocd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Terraform Provider for ArgoCD has possible exposure to GO-2026-4337 / CVE-2025-68121"
}

GHSA-5J59-XGG2-R9C4

Vulnerability from github – Published: 2025-12-12 17:21 – Updated: 2026-01-15 21:55
VLAI
Summary
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
Details

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.3.1-canary.0"
            },
            {
              "fixed": "14.2.35"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0.6"
            },
            {
              "fixed": "15.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.1.10"
            },
            {
              "fixed": "15.1.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.2.7"
            },
            {
              "fixed": "15.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.3.7"
            },
            {
              "fixed": "15.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.4.9"
            },
            {
              "fixed": "15.4.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.5.8"
            },
            {
              "fixed": "15.5.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.6.0-canary.59"
            },
            {
              "fixed": "15.6.0-canary.60"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.9"
            },
            {
              "fixed": "16.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.1.0-canary.17"
            },
            {
              "fixed": "16.1.0-canary.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-400",
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-12T17:21:57Z",
    "nvd_published_at": "2025-12-12T00:15:46Z",
    "severity": "HIGH"
  },
  "details": "It was discovered that the fix for [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types.  As a result, certain crafted inputs could still trigger excessive resource consumption. \n\nThis vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).\n\nA malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.",
  "id": "GHSA-5j59-xgg2-r9c4",
  "modified": "2026-01-15T21:55:04Z",
  "published": "2025-12-12T17:21:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67779"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/next.js"
    },
    {
      "type": "WEB",
      "url": "https://nextjs.org/blog/security-update-2025-12-11"
    },
    {
      "type": "WEB",
      "url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55184"
    },
    {
      "type": "WEB",
      "url": "https://www.facebook.com/security/advisories/cve-2025-67779"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up"
}

Mitigation
Requirements Policy

In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.

Mitigation
Requirements

Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].

Mitigation
Architecture and Design Implementation Integration Manufacturing

Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."

Mitigation
Operation Patching and Maintenance

Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.

Mitigation
Operation Patching and Maintenance

Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.

No CAPEC attack patterns related to this CWE.