For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWASP Dependency-Check [REF-1312]. Many languages or frameworks have package managers with similar capabilities, such as npm audit for JavaScript, pip-audit for Python, govulncheck for Go, and many others. Dynamic methods can detect loading of third-party components.
CWE-1395 Classe Incompleto
Dependency on Vulnerable Third-Party Component
This vulnerability occurs when your software relies on an external library, framework, or module that contains known security flaws.
Definição
What is CWE-1395?
This vulnerability occurs when your software relies on an external library, framework, or module that contains known security flaws.
Modern software development heavily depends on third-party components—from open-source libraries to commercial SDKs and entire operating systems. While this accelerates development, it introduces risk: your application inherits every security weakness present in those dependencies. Attackers actively scan for applications using vulnerable versions of popular components, as they provide a reliable and often easy path to compromise.
Managing this risk requires proactive vigilance. You cannot assume that external code, whether open or closed source, is secure. A vulnerability in a single small library can jeopardize the entire application. Therefore, a core part of your security process must be continuously identifying, tracking, and updating these external dependencies to patch known issues before they can be exploited.
Impacto no mundo real
Real-world CVEs caused by CWE-1395
Ainda não há referências CVE públicas associadas a este CWE no catálogo da MITRE.
Como os atacantes a exploram
Trajeto do atacante passo a passo
- 1
Identificar um caminho de código que trata input não confiável sem validação.
- 2
Criar um payload que explora o comportamento inseguro — injeção, traversal, overflow ou abuso de lógica.
- 3
Entregar o payload através de um pedido normal e observar a reação da aplicação.
- 4
Iterar até que a resposta exponha dados, execute código do atacante ou escale privilégios.
Exemplo de código vulnerável
Vulnerable pseudo
A MITRE não publicou um exemplo de código para este CWE. O padrão abaixo é ilustrativo — consulte os Recursos para referências canónicas.
// Example pattern — see MITRE for the canonical references.
function handleRequest(input) {
// Untrusted input flows directly into the sensitive sink.
return executeUnsafe(input);
} Exemplo de código seguro
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção
How to prevent CWE-1395
- Requirements / Policy In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
- Requirements Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
- Architecture and Design / Implementation / Integration / Manufacturing Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
- Operation / Patching and Maintenance Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
- Operation / Patching and Maintenance Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
Sinais de deteção
How to detect CWE-1395
O Plexicus deteta automaticamente o CWE-1395 e abre um PR de correção em menos de 60 segundos.
O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.
Perguntas frequentes O que é o CWE-1395?
Qual a gravidade do CWE-1395?
Que linguagens ou plataformas são afetadas pelo CWE-1395?
Como posso prevenir o CWE-1395?
Como é que o Plexicus deteta e corrige o CWE-1395?
Onde posso saber mais sobre o CWE-1395?
Frequently asked questions
O que é o CWE-1395?
This vulnerability occurs when your software relies on an external library, framework, or module that contains known security flaws.
Qual a gravidade do CWE-1395?
A MITRE não publicou uma classificação de probabilidade de exploração para esta fraqueza. Trate-a como impacto médio até o seu modelo de ameaças provar o contrário.
Que linguagens ou plataformas são afetadas pelo CWE-1395?
MITRE lists the following affected platforms: Not OS-Specific, Not Architecture-Specific, Not Technology-Specific.
Como posso prevenir o CWE-1395?
In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed. Require a Bill of Materials for all components and sub-components of the product. For…
Como é que o Plexicus deteta e corrige o CWE-1395?
O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-1395 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.
Onde posso saber mais sobre o CWE-1395?
A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/1395.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.
Fraquezas relacionadas
Weaknesses related to CWE-1395
CWE-657 Pai
Violation of Secure Design Principles
This weakness occurs when a system's architecture or design fails to follow fundamental security principles, creating a flawed foundation…
CWE-1192 Irmão
Improper Identifier for IP Block used in System-On-Chip (SOC)
This weakness occurs when a System-on-Chip (SoC) lacks a secure, unique, and permanent identifier for its internal hardware components (IP…
CWE-250 Irmão
Execution with Unnecessary Privileges
This vulnerability occurs when software runs with higher permissions than it actually needs to perform its tasks. This excessive privilege…
CWE-636 Irmão
Not Failing Securely ('Failing Open')
This vulnerability occurs when a system, upon encountering an error or failure, defaults to its least secure configuration instead of a…
CWE-637 Irmão
Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
This weakness occurs when a security feature is implemented with excessive complexity, creating unnecessary risk. Overly intricate…
CWE-638 Irmão
Not Using Complete Mediation
This vulnerability occurs when software fails to verify access permissions every single time a user or process tries to use a resource.…
CWE-653 Irmão
Improper Isolation or Compartmentalization
This vulnerability occurs when an application fails to enforce strong boundaries between components that operate at different security…
CWE-654 Irmão
Reliance on a Single Factor in a Security Decision
This vulnerability occurs when a system's security check depends almost entirely on just one condition, object, or piece of data to decide…
CWE-655 Irmão
Insufficient Psychological Acceptability
This weakness occurs when security features are so cumbersome or confusing that well-intentioned users feel forced to turn them off or…
Recursos
Further reading
- MITRE — CWE-1395 oficial https://cwe.mitre.org/data/definitions/1395.html
- The Unfortunate Reality of Insecure Libraries https://owasp.org/www-project-dependency-check/
- A06:2021 - Vulnerable and Outdated Components https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/
- Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf
- The Cases for Using the SBOMs We Build https://www.atlanticcouncil.org/wp-content/uploads/2022/11/AC_SBOM_IB_v2-002.pdf
- OWASP Dependency-Check https://owasp.org/www-project-dependency-check/
- ICS Alert (ICS-ALERT-20-063-01): SweynTooth Vulnerabilities https://www.cisa.gov/news-events/ics-alerts/ics-alert-20-063-01
Pronto quando você estiver
Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.
O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.