# Vulnerable and Outdated Components (A06:2021)

Components such as libraries, frameworks, and other software modules run with the same privileges as the application. If a vulnerable component is exploited, it can cause serious data loss.

## Overview

Previously titled Using Components with Known Vulnerabilities. It is #2 in the Top 10 community survey but also had enough data to make the Top 10 via data analysis.

## How Attackers Exploit This

### Known vulnerability exploitation

Attackers target publicly disclosed vulnerabilities in popular libraries before applications are patched.

**Detection signal:** Exploit attempts matching known CVE patterns, targeting specific library endpoints

### Supply chain compromise

Malicious code is introduced through compromised or typosquatted packages.

**Detection signal:** Unexpected network connections, unusual package behaviors

## How to Prevent

- Remove unused dependencies, features, components, and documentation
- Continuously inventory component versions and their dependencies
- Monitor sources like CVE and NVD for vulnerabilities in components
- Only obtain components from official sources over secure links
- Monitor for unmaintained libraries that don't receive security patches
- Use virtual patching via web application firewall if needed

## CWEs with Detection Rules (1)

- **CWE-1104**: Use of Unmaintained Third Party Components (5 rules) [dockerfile, javascript]

## Other Mapped CWEs (2)

- CWE-937: CWE-937
- CWE-1035: Using Components with Known Vulnerabilities

## Quick Reference

- Total CWEs: 3
- With Shoulder rules: 1
- Detection rules: 5