logo

Database

Supply Chain Attack - Lock Files

Description

A lock file has not been defined to validate the integrity of the software to be used. This can lead to a supply chain attack if the software is compromised, such as by injecting malware.

Impact

Override dependencies or component with malicious content.

Recommendation

Set the version numbers in your administrator file and make use of the lock file where the complete software tree used by the project is defined and where it has integrity data defined for each software used.

Threat

Anonymous attacker from Internet with write access to the provider releases.

Expected Remediation Time

⏱️ 15 minutes.

Requirements

266 - Disable insecure functionalities

Fixes

Score

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

Attack vector

N

Attack complexity

H

Attack requirements

N

Privileges required

N

User interaction

P

Confidentiality (VC)

N

Integrity (VI)

L

Availability (VA)

N

Confidentiality (SC)

N

Integrity (SI)

N

Availability (SA)

N

Threat 4.0

Exploit maturity

U

Vector string

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U