CWE-1395
Allowed-with-ReviewDependency on Vulnerable Third-Party Component
Abstraction: Class · Status: Incomplete
The product has a dependency on a third-party component that contains one or more known vulnerabilities.
110 vulnerabilities reference this CWE, most recent first.
CVE-2025-31973 (GCVE-0-2025-31973)
Vulnerability from cvelistv5 – Published: 2026-05-20 11:25 – Updated: 2026-05-20 12:51- CWE-1395 - Dependency on Vulnerable Third-Party Component
| Vendor | Product | Version | |
|---|---|---|---|
| HCL | BigFix Service Management (SM) |
Affected:
23
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31973",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T12:50:57.430915Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T12:51:05.651Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BigFix Service Management (SM)",
"vendor": "HCL",
"versions": [
{
"status": "affected",
"version": "23"
}
]
}
],
"datePublic": "2026-05-06T11:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "HCL BigFix Service Management (SM) is susceptible to a Configuration \u2013 \u0027Insecure Use of Base Image Version\u0027. Using outdated or insecure base images may introduce known vulnerabilities, potentially increasing the risk of exploitation in the application environment."
}
],
"value": "HCL BigFix Service Management (SM) is susceptible to a Configuration \u2013 \u0027Insecure Use of Base Image Version\u0027. Using outdated or insecure base images may introduce known vulnerabilities, potentially increasing the risk of exploitation in the application environment."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T11:25:44.157Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0128144"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL BigFix Service Management (SM) is susceptible to a Configuration \u2013 \u0027Insecure Use of Base Image Version\u0027",
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2025-31973",
"datePublished": "2026-05-20T11:25:44.157Z",
"dateReserved": "2025-04-01T18:46:26.620Z",
"dateUpdated": "2026-05-20T12:51:05.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15638 (GCVE-0-2025-15638)
Vulnerability from cvelistv5 – Published: 2026-04-21 15:34 – Updated: 2026-04-21 16:23- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://www.cve.org/CVERecord?id=CVE-2016-6129 | vendor-advisory |
| https://www.cve.org/CVERecord?id=CVE-2018-12437 | vendor-advisory |
| https://metacpan.org/release/ATRODO/Net-Dropbear-… | release-notes |
| Vendor | Product | Version | |
|---|---|---|---|
| ATRODO | Net::Dropbear |
Affected:
0 , < 0.14
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-15638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T16:22:48.674288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T16:23:17.147Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-Dropbear",
"product": "Net::Dropbear",
"repo": "https://github.com/atrodo/Net-Dropbear",
"vendor": "ATRODO",
"versions": [
{
"lessThan": "0.14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt.\n\nNet::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T15:34:18.988Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6129"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12437"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/ATRODO/Net-Dropbear-0.14/source/dropbear/libtomcrypt/changes"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2025-15638",
"datePublished": "2026-04-21T15:34:18.988Z",
"dateReserved": "2026-04-20T12:20:50.153Z",
"dateUpdated": "2026-04-21T16:23:17.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15444 (GCVE-0-2025-15444)
Vulnerability from cvelistv5 – Published: 2026-01-06 00:22 – Updated: 2026-01-06 19:01- CWE-1395 - Dependency on Vulnerable Third-Party Component
| Vendor | Product | Version | |
|---|---|---|---|
| IAMB | Crypt::Sodium::XS |
Affected:
0 , < 0.000042
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-15444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T14:23:55.371687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T19:01:27.678Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Crypt-Sodium-XS",
"product": "Crypt::Sodium::XS",
"vendor": "IAMB",
"versions": [
{
"lessThan": "0.000042",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Crypt::Sodium::XS module versions prior to\u0026nbsp;0.000042,\u0026nbsp;for Perl, include a vulnerable version of libsodium\u003cbr\u003e\u003cbr\u003elibsodium \u0026lt;= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cve.org/CVERecord?id=CVE-2025-69277\"\u003ehttps://www.cve.org/CVERecord?id=CVE-2025-69277\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003eThe libsodium vulnerability states:\u003cbr\u003e\u003cbr\u003eIn atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren\u0027t in the main cryptographic group.\u003cbr\u003e\u003cbr\u003e0.000042 includes a version of\u0026nbsp;libsodium updated to 1.0.20-stable, \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ereleased January 3, 2026, which includes a fix for the vulnerability.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Crypt::Sodium::XS module versions prior to\u00a00.000042,\u00a0for Perl, include a vulnerable version of libsodium\n\nlibsodium \u003c= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277\u00a0 https://www.cve.org/CVERecord?id=CVE-2025-69277 .\n\nThe libsodium vulnerability states:\n\nIn atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren\u0027t in the main cryptographic group.\n\n0.000042 includes a version of\u00a0libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T00:22:50.114Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae"
},
{
"url": "https://00f.net/2025/12/30/libsodium-vulnerability/"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/dist/Crypt-Sodium-XS/changes"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to version\u0026nbsp;0.000042 or later"
}
],
"value": "Upgrade to version\u00a00.000042 or later"
}
],
"source": {
"discovery": "UPSTREAM"
},
"title": "Crypt::Sodium::XS module versions prior to\u00a00.000042,\u00a0for Perl, include a vulnerable version of libsodium",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2025-15444",
"datePublished": "2026-01-06T00:22:50.114Z",
"dateReserved": "2026-01-03T22:06:02.639Z",
"dateUpdated": "2026-01-06T19:01:27.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13823 (GCVE-0-2025-13823)
Vulnerability from cvelistv5 – Published: 2025-12-15 15:17 – Updated: 2025-12-15 16:37- CWE-1395 - Dependency on Vulnerable Third-Party Component
| Vendor | Product | Version | |
|---|---|---|---|
| Rockwell Automation | Micro820®, Micro850®, Micro870® |
Affected:
V23.011
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13823",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T16:37:05.856400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T16:37:15.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Micro820\u00ae, Micro850\u00ae, Micro870\u00ae",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "V23.011"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA security issue was found in the IPv6 stack in the Micro850 and Micro870 controllers when the controllers received multiple malformed packets during fuzzing. The controllers will go into recoverable fault with fault code 0xFE60. To recover the controller, clear the fault. \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e"
}
],
"value": "A security issue was found in the IPv6 stack in the Micro850 and Micro870 controllers when the controllers received multiple malformed packets during fuzzing. The controllers will go into recoverable fault with fault code 0xFE60. To recover the controller, clear the fault."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T15:17:48.725Z",
"orgId": "b73dd486-f505-4403-b634-40b078b177f0",
"shortName": "Rockwell"
},
"references": [
{
"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1766.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://compatibility.rockwellautomation.com/Pages/MultiProductFindDownloads.aspx?crumb=112\u0026amp;mode=3\u0026amp;refSoft=1\u0026amp;versions=64421\"\u003eV23.012\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "V23.012 https://compatibility.rockwellautomation.com/Pages/MultiProductFindDownloads.aspx"
}
],
"source": {
"advisory": "SD1766",
"discovery": "UNKNOWN"
},
"title": "Micro820\u00ae, Micro850\u00ae, Micro870\u00ae \u2013 Specialized Fuzzing Vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b73dd486-f505-4403-b634-40b078b177f0",
"assignerShortName": "Rockwell",
"cveId": "CVE-2025-13823",
"datePublished": "2025-12-15T15:17:48.725Z",
"dateReserved": "2025-12-01T14:29:23.430Z",
"dateUpdated": "2025-12-15T16:37:15.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12220 (GCVE-0-2025-12220)
Vulnerability from cvelistv5 – Published: 2025-10-25 15:53 – Updated: 2025-10-28 14:18- CWE-1395 - Dependency on Vulnerable Third-Party Component
| Vendor | Product | Version | |
|---|---|---|---|
| Azure Access Technology | BLU-IC2 |
Affected:
0 , ≤ 1.19.5
(semver)
|
|
| Azure Access Technology | BLU-IC4 |
Affected:
0 , ≤ 1.19.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12220",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T14:17:57.032025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:18:06.558Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BLU-IC2",
"vendor": "Azure Access Technology",
"versions": [
{
"lessThanOrEqual": "1.19.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "BLU-IC4",
"vendor": "Azure Access Technology",
"versions": [
{
"lessThanOrEqual": "1.19.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kevin Schaller"
},
{
"lang": "en",
"type": "finder",
"value": "Benjamin Lafois"
},
{
"lang": "en",
"type": "finder",
"value": "Alexi Bitsios"
},
{
"lang": "en",
"type": "finder",
"value": "Sebastian Toscano"
},
{
"lang": "en",
"type": "finder",
"value": "Dominik Schneider"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Busybox 1.31.1 - Multiple Known Vulnerabilities.\u003cp\u003eThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.\u003c/p\u003e"
}
],
"value": "Busybox 1.31.1 - Multiple Known Vulnerabilities.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5."
}
],
"impacts": [
{
"capecId": "CAPEC-22",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-22 Exploiting Trust in Client"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-25T15:53:03.558Z",
"orgId": "a0340c66-c385-4f8b-991b-3d05f6fd5220",
"shortName": "azure-access"
},
"references": [
{
"url": "https://azure-access.com/security-advisories"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Busybox 1.31.1 - Multiple Known Vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0340c66-c385-4f8b-991b-3d05f6fd5220",
"assignerShortName": "azure-access",
"cveId": "CVE-2025-12220",
"datePublished": "2025-10-25T15:53:03.558Z",
"dateReserved": "2025-10-25T15:52:48.624Z",
"dateUpdated": "2025-10-28T14:18:06.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-12219 (GCVE-0-2025-12219)
Vulnerability from cvelistv5 – Published: 2025-10-25 15:51 – Updated: 2025-10-28 14:17- CWE-1395 - Dependency on Vulnerable Third-Party Component
| Vendor | Product | Version | |
|---|---|---|---|
| Azure Access Technology | BLU-IC2 |
Affected:
0 , ≤ 1.19.5
(semver)
|
|
| Azure Access Technology | BLU-IC4 |
Affected:
0 , ≤ 1.19.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12219",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T14:17:05.349713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:17:14.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BLU-IC2",
"vendor": "Azure Access Technology",
"versions": [
{
"lessThanOrEqual": "1.19.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "BLU-IC4",
"vendor": "Azure Access Technology",
"versions": [
{
"lessThanOrEqual": "1.19.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kevin Schaller"
},
{
"lang": "en",
"type": "finder",
"value": "Benjamin Lafois"
},
{
"lang": "en",
"type": "finder",
"value": "Alexi Bitsios"
},
{
"lang": "en",
"type": "finder",
"value": "Sebastian Toscano"
},
{
"lang": "en",
"type": "finder",
"value": "Dominik Schneider"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerable Components in Azure Access OS.\u003cp\u003eThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.\u003c/p\u003e"
}
],
"value": "Vulnerable Components in Azure Access OS.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5."
}
],
"impacts": [
{
"capecId": "CAPEC-22",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-22 Exploiting Trust in Client"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-25T15:51:58.319Z",
"orgId": "a0340c66-c385-4f8b-991b-3d05f6fd5220",
"shortName": "azure-access"
},
"references": [
{
"url": "https://azure-access.com/security-advisories"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Vulnerable Components in Azure Access OS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0340c66-c385-4f8b-991b-3d05f6fd5220",
"assignerShortName": "azure-access",
"cveId": "CVE-2025-12219",
"datePublished": "2025-10-25T15:51:58.319Z",
"dateReserved": "2025-10-25T15:50:41.942Z",
"dateUpdated": "2025-10-28T14:17:14.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11159 (GCVE-0-2025-11159)
Vulnerability from cvelistv5 – Published: 2026-05-13 05:36 – Updated: 2026-05-13 14:44- CWE-1395 - Dependency on Vulnerable Third-Party Component
| Vendor | Product | Version | |
|---|---|---|---|
| Hitachi Vantara | Pentaho Data Integration and Analytics |
Affected:
1.0 , < 10.2.0.7
(maven)
Affected: 1.0 , < 11.0 (maven) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11159",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T14:44:30.743315Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:44:36.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pentaho Data Integration and Analytics",
"vendor": "Hitachi Vantara",
"versions": [
{
"lessThan": "10.2.0.7",
"status": "affected",
"version": "1.0",
"versionType": "maven"
},
{
"lessThan": "11.0",
"status": "affected",
"version": "1.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hitachi Vantara Pentaho Data Integration \u0026amp; Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a\u0026nbsp;data source administrator."
}
],
"value": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a\u00a0data source administrator."
}
],
"impacts": [
{
"capecId": "CAPEC-310",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-310 Scanning for Vulnerable Software"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T05:36:43.720Z",
"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"shortName": "HITVAN"
},
"references": [
{
"url": "https://support.pentaho.com/hc/en-us/articles/39954640408077--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Dependency-on-Vulnerable-Third-Party-Component-Versions-before-10-2-0-7-and-11-0-0-0-Impacted-CVE-2025-11159"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics - Dependency on Vulnerable Third-Party Component",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"assignerShortName": "HITVAN",
"cveId": "CVE-2025-11159",
"datePublished": "2026-05-13T05:36:43.720Z",
"dateReserved": "2025-09-29T14:53:44.917Z",
"dateUpdated": "2026-05-13T14:44:36.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10226 (GCVE-0-2025-10226)
Vulnerability from cvelistv5 – Published: 2025-09-10 12:38 – Updated: 2025-10-08 11:56- CWE-1395 - Dependency on Vulnerable Third-Party Component
| Vendor | Product | Version | |
|---|---|---|---|
| AxxonSoft | AxxonOne C-Werk |
Affected:
0 , ≤ 2.0.8
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T13:11:00.834219Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T13:11:16.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "AxxonOne C-Werk",
"vendor": "AxxonSoft",
"versions": [
{
"lessThanOrEqual": "2.0.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Implemented internally by the AxxonSoft DevOps and QA Security teams."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dependency on Vulnerable Third-Party Component (CWE-1395) in the PostgreSQL backend in AxxonSoft Axxon One (C-Werk) 2.0.8 and earlier on Windows and Linux allows a remote attacker to escalate privileges, execute arbitrary code, or cause denial-of-service via exploitation of multiple known CVEs present in PostgreSQL v10.x, which are resolved in PostgreSQL 17.4."
}
],
"value": "Dependency on Vulnerable Third-Party Component (CWE-1395) in the PostgreSQL backend in AxxonSoft Axxon One (C-Werk) 2.0.8 and earlier on Windows and Linux allows a remote attacker to escalate privileges, execute arbitrary code, or cause denial-of-service via exploitation of multiple known CVEs present in PostgreSQL v10.x, which are resolved in PostgreSQL 17.4."
}
],
"impacts": [
{
"capecId": "CAPEC-630",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-630: Dependency Substitution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T11:56:42.741Z",
"orgId": "15ede60e-6fda-426e-be9c-e788f151a377",
"shortName": "AxxonSoft"
},
"references": [
{
"url": "https://www.axxonsoft.com/legal/axxonsoft-vulnerability-disclosure-policy/security-advisories"
},
{
"url": "https://www.postgresql.org/docs/release"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade bundled or external PostgreSQL instances to \u003cstrong\u003ev17.4 or later\u003c/strong\u003e, which addresses all known CVEs up to that release and strengthens DB hardening.\n\n\u003cbr\u003e"
}
],
"value": "Upgrade bundled or external PostgreSQL instances to v17.4 or later, which addresses all known CVEs up to that release and strengthens DB hardening."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "PostgreSQL Upgrade from v10 to v17.4 in AxxonSoft Axxon One (C-Werk) 2.0.8 and earlier to Address Multiple Vulnerabilities",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "For environments unable to upgrade immediately, limit database exposure (network segmentation, firewalling).\n\n\u003cbr\u003e\n\nRegularly monitor PostgreSQL security advisories for backported patches.\n\n\u003cbr\u003e"
}
],
"value": "For environments unable to upgrade immediately, limit database exposure (network segmentation, firewalling).\n\n\n\n\nRegularly monitor PostgreSQL security advisories for backported patches."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "15ede60e-6fda-426e-be9c-e788f151a377",
"assignerShortName": "AxxonSoft",
"cveId": "CVE-2025-10226",
"datePublished": "2025-09-10T12:38:42.549Z",
"dateReserved": "2025-09-10T12:37:44.975Z",
"dateUpdated": "2025-10-08T11:56:42.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45399 (GCVE-0-2024-45399)
Vulnerability from cvelistv5 – Published: 2024-09-04 20:12 – Updated: 2024-09-04 20:17| URL | Tags |
|---|---|
| https://github.com/indico/indico/security/advisor… | x_refsource_CONFIRM |
| https://github.com/indico/flask-multipass/commit/… | x_refsource_MISC |
| https://github.com/indico/indico/commit/7dcb57383… | x_refsource_MISC |
| https://github.com/indico/indico/releases/tag/v3.3.4 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45399",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T20:17:25.903426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T20:17:38.298Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "indico",
"vendor": "indico",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vulnerability during account creation when redirecting to the `next` URL. Exploitation requires initiating the account creation process with a maliciously crafted link, and then finalizing the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users. Indico 3.3.4 upgrades the dependency on Flask-Multipass to version 0.5.5, which fixes the issue. Those who build the Indico package themselves and cannot upgrade can update the `flask-multipass` dependency to `\u003e=0.5.5` which fixes the vulnerability. Otherwise one could configure one\u0027s web server to disallow requests containing a query string with a `next` parameter that starts with `javascript:`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T20:12:20.457Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/indico/indico/security/advisories/GHSA-rrqf-w74j-24ff",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/indico/indico/security/advisories/GHSA-rrqf-w74j-24ff"
},
{
"name": "https://github.com/indico/flask-multipass/commit/0bdcf656d469e5f675cb56fd644d82fea3a97c2a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/indico/flask-multipass/commit/0bdcf656d469e5f675cb56fd644d82fea3a97c2a"
},
{
"name": "https://github.com/indico/indico/commit/7dcb573837b9fd09d95f74d1baeae225b164cc8f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/indico/indico/commit/7dcb573837b9fd09d95f74d1baeae225b164cc8f"
},
{
"name": "https://github.com/indico/indico/releases/tag/v3.3.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/indico/indico/releases/tag/v3.3.4"
}
],
"source": {
"advisory": "GHSA-rrqf-w74j-24ff",
"discovery": "UNKNOWN"
},
"title": "Indico has a Cross-Site-Scripting during account creation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45399",
"datePublished": "2024-09-04T20:12:20.457Z",
"dateReserved": "2024-08-28T20:21:32.803Z",
"dateUpdated": "2024-09-04T20:17:38.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38526 (GCVE-0-2024-38526)
Vulnerability from cvelistv5 – Published: 2024-06-25 23:53 – Updated: 2025-02-13 17:53- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://github.com/mitmproxy/pdoc/security/adviso… | x_refsource_CONFIRM |
| https://github.com/mitmproxy/pdoc/pull/703 | x_refsource_MISC |
| https://sansec.io/research/polyfill-supply-chain-attack | x_refsource_MISC |
| https://www.vicarius.io/vsociety/posts/polyfillio… |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mitmproxy:pdoc:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pdoc",
"vendor": "mitmproxy",
"versions": [
{
"lessThan": "14.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38526",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T14:23:46.307681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T14:25:31.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:12:25.740Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62"
},
{
"name": "https://github.com/mitmproxy/pdoc/pull/703",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mitmproxy/pdoc/pull/703"
},
{
"name": "https://sansec.io/research/polyfill-supply-chain-attack",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sansec.io/research/polyfill-supply-chain-attack"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "pdoc",
"vendor": "mitmproxy",
"versions": [
{
"status": "affected",
"version": "\u003c 14.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 0,
"baseSeverity": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L/E:H/RL:O/RC:C/MC:N/MI:N/MA:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-24T16:18:22.866Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62"
},
{
"name": "https://github.com/mitmproxy/pdoc/pull/703",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mitmproxy/pdoc/pull/703"
},
{
"name": "https://sansec.io/research/polyfill-supply-chain-attack",
"tags": [
"x_refsource_MISC"
],
"url": "https://sansec.io/research/polyfill-supply-chain-attack"
},
{
"url": "https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526"
}
],
"source": {
"advisory": "GHSA-5vgj-ggm4-fg62",
"discovery": "UNKNOWN"
},
"title": "pdoc embeds link to malicious CDN if math mode is enabled"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38526",
"datePublished": "2024-06-25T23:53:54.677Z",
"dateReserved": "2024-06-18T16:37:02.728Z",
"dateUpdated": "2025-02-13T17:53:15.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
Mitigation
Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
Mitigation
Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Mitigation
Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
Mitigation
Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
No CAPEC attack patterns related to this CWE.