For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWASP Dependency-Check [REF-1312]. Many languages or frameworks have package managers with similar capabilities, such as npm audit for JavaScript, pip-audit for Python, govulncheck for Go, and many others. Dynamic methods can detect loading of third-party components.
CWE-1395 Class Incomplete
Dependency on Vulnerable Third-Party Component
This vulnerability occurs when your software relies on an external library, framework, or module that contains known security flaws.
Definition
What is CWE-1395?
This vulnerability occurs when your software relies on an external library, framework, or module that contains known security flaws.
Modern software development heavily depends on third-party components—from open-source libraries to commercial SDKs and entire operating systems. While this accelerates development, it introduces risk: your application inherits every security weakness present in those dependencies. Attackers actively scan for applications using vulnerable versions of popular components, as they provide a reliable and often easy path to compromise.
Managing this risk requires proactive vigilance. You cannot assume that external code, whether open or closed source, is secure. A vulnerability in a single small library can jeopardize the entire application. Therefore, a core part of your security process must be continuously identifying, tracking, and updating these external dependencies to patch known issues before they can be exploited.
Auswirkungen in der Praxis
Real-world CVEs caused by CWE-1395
Bisher sind in MITREs Katalog keine öffentlichen CVE-Referenzen mit dieser CWE verknüpft.
Wie Angreifer es ausnutzen
Angreiferpfad Schritt für Schritt
- 1
Identifiziere einen Codepfad, der nicht vertrauenswürdige Eingaben ohne Validierung verarbeitet.
- 2
Erzeuge eine Payload, die das unsichere Verhalten auslöst — Injection, Traversal, Overflow oder Logik-Missbrauch.
- 3
Liefere die Payload über einen normalen Request aus und beobachte die Reaktion der Anwendung.
- 4
Iteriere, bis die Antwort Daten preisgibt, Angreifer-Code ausführt oder Berechtigungen eskaliert.
Verwundbares Codebeispiel
Vulnerable pseudo
MITRE hat kein Codebeispiel für diese CWE veröffentlicht. Das untenstehende Muster ist illustrativ — kanonische Referenzen findest du unter Ressourcen.
// Example pattern — see MITRE for the canonical references.
function handleRequest(input) {
// Untrusted input flows directly into the sensitive sink.
return executeUnsafe(input);
} Sicheres Codebeispiel
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste
How to prevent CWE-1395
- Requirements / Policy In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
- Requirements Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
- Architecture and Design / Implementation / Integration / Manufacturing Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
- Operation / Patching and Maintenance Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
- Operation / Patching and Maintenance Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
Erkennungssignale
How to detect CWE-1395
Plexicus erkennt CWE-1395 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.
Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.
Häufig gestellte Fragen Was ist CWE-1395?
Wie gravierend ist CWE-1395?
Welche Sprachen oder Plattformen sind von CWE-1395 betroffen?
Wie kann ich CWE-1395 verhindern?
Wie erkennt und behebt Plexicus CWE-1395?
Wo erfahre ich mehr über CWE-1395?
Frequently asked questions
Was ist CWE-1395?
This vulnerability occurs when your software relies on an external library, framework, or module that contains known security flaws.
Wie gravierend ist CWE-1395?
MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.
Welche Sprachen oder Plattformen sind von CWE-1395 betroffen?
MITRE lists the following affected platforms: Not OS-Specific, Not Architecture-Specific, Not Technology-Specific.
Wie kann ich CWE-1395 verhindern?
In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed. Require a Bill of Materials for all components and sub-components of the product. For…
Wie erkennt und behebt Plexicus CWE-1395?
Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-1395 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.
Wo erfahre ich mehr über CWE-1395?
MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/1395.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.
Verwandte Schwachstellen
Weaknesses related to CWE-1395
CWE-657 Parent
Violation of Secure Design Principles
This weakness occurs when a system's architecture or design fails to follow fundamental security principles, creating a flawed foundation…
CWE-1192 Sibling
Improper Identifier for IP Block used in System-On-Chip (SOC)
This weakness occurs when a System-on-Chip (SoC) lacks a secure, unique, and permanent identifier for its internal hardware components (IP…
CWE-250 Sibling
Execution with Unnecessary Privileges
This vulnerability occurs when software runs with higher permissions than it actually needs to perform its tasks. This excessive privilege…
CWE-636 Sibling
Not Failing Securely ('Failing Open')
This vulnerability occurs when a system, upon encountering an error or failure, defaults to its least secure configuration instead of a…
CWE-637 Sibling
Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
This weakness occurs when a security feature is implemented with excessive complexity, creating unnecessary risk. Overly intricate…
CWE-638 Sibling
Not Using Complete Mediation
This vulnerability occurs when software fails to verify access permissions every single time a user or process tries to use a resource.…
CWE-653 Sibling
Improper Isolation or Compartmentalization
This vulnerability occurs when an application fails to enforce strong boundaries between components that operate at different security…
CWE-654 Sibling
Reliance on a Single Factor in a Security Decision
This vulnerability occurs when a system's security check depends almost entirely on just one condition, object, or piece of data to decide…
CWE-655 Sibling
Insufficient Psychological Acceptability
This weakness occurs when security features are so cumbersome or confusing that well-intentioned users feel forced to turn them off or…
Ressourcen
Further reading
- MITRE — offizielle CWE-1395 https://cwe.mitre.org/data/definitions/1395.html
- The Unfortunate Reality of Insecure Libraries https://owasp.org/www-project-dependency-check/
- A06:2021 - Vulnerable and Outdated Components https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/
- Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf
- The Cases for Using the SBOMs We Build https://www.atlanticcouncil.org/wp-content/uploads/2022/11/AC_SBOM_IB_v2-002.pdf
- OWASP Dependency-Check https://owasp.org/www-project-dependency-check/
- ICS Alert (ICS-ALERT-20-063-01): SweynTooth Vulnerabilities https://www.cisa.gov/news-events/ics-alerts/ics-alert-20-063-01
Bereit, wenn du es bist
Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.
Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.