120 – Improper dependency pinning

Description

The application does not make explicit the whole dependency tree it requires (direct and indirect third-party libraries) and their respective version.

Impact

- Accept a range of versions can cause a version of a dependency that is not supported by the application to be automatically installed. - Install a dependency containing a known vulnerability and being unaware of it. - Use a dependency version that is not compatible with the application.

Recommendation

All dependencies must be declared with a specific version and must be referenced with a dependency manager (npm, pip, maven). This allows to standardize the projects construction and packaging.

Threat

Anonymous attacker with access to the application.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: U

Requirements

• 302 - Declare dependencies explicitly

Fixes

• Dart
• Elixir
• Go
• Java
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/13