“Using components with known vulnerabilities” refers to an application that uses third-party code that contains known vulnerabilities. The result is that the vulnerabilities in the third-party code become vulnerabilities in the application.
This type of vulnerability affects all applications.
The impact of using components with known vulnerabilities depends on the nature of the vulnerabilities. Usually, this refers to code that is vulnerable to code injection, command injection or SQL injection. The impact in such scenarios is usually full system compromise. On top of that danger, attackers often scan for these types of vulnerabilities with automated tools, resulting in many non-targeted compromises. In other words, your application might get attacked simply because an attacker found a vulnerable component when scanning a large range of potential targets.
To prevent using components with known vulnerabilities, install patches.
To make sure that using components with known vulnerabilities is prevented, verify that patches are installed.
Computer Based Training Links
Use the following Computer Based Training course(s) for more background information about this type of vulnerabilities.
OWASP Top Threats & Mitigations
This course examines in depth the vulnerabilities, threats, and mitigations described in the OWASP Top 10 2013. Upon completion of this class, participants will be able to identify and mitigate the greatest threats that web application developers face, including: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, and Unvalidated Redirects and Forwards.
Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact firstname.lastname@example.org for help.