431 – Supply Chain Attack - Lock Files
Description
A lock file has not been defined to validate the integrity of the software to be used. This can lead to a supply chain attack if the software is compromised, such as by injecting malware.
Impact
Override dependencies or component with malicious content.
Recommendation
Set the version numbers in your administrator file and make use of the lock file where the complete software tree used by the project is defined and where it has integrity data defined for each software used.
Threat
Anonymous attacker from Internet with write access to the provider releases.
Expected Remediation Time
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: H
- Attack Requirements: N
- Privileges required: N
- User interaction: P
- Confidentiality (VC): N
- Integrity (VI): L
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: U