Common Weakness Enumeration

CWE-1104

Allowed

Use of Unmaintained Third Party Components

Abstraction: Base · Status: Incomplete

The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.

45 vulnerabilities reference this CWE, most recent first.

GHSA-CCQC-VX6W-76X6

Vulnerability from github – Published: 2023-12-25 00:30 – Updated: 2024-01-09 21:30
VLAI
Details

Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-7102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1104"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-24T22:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.\n\n",
  "id": "GHSA-ccqc-vx6w-76x6",
  "modified": "2024-01-09T21:30:27Z",
  "published": "2023-12-25T00:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7102"
    },
    {
      "type": "WEB",
      "url": "https://github.com/haile01/perl_spreadsheet_excel_rce_poc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/dist/Spreadsheet-ParseExcel"
    },
    {
      "type": "WEB",
      "url": "https://www.barracuda.com/company/legal/esg-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-7101"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F3QF-GC58-29P6

Vulnerability from github – Published: 2023-05-10 21:30 – Updated: 2024-04-04 04:01
VLAI
Details

HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3.

Applications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36937"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1104",
      "CWE-327"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-10T19:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3.\n\nApplications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected.",
  "id": "GHSA-f3qf-gc58-29p6",
  "modified": "2024-04-04T04:01:24Z",
  "published": "2023-05-10T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36937"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/hhvm/commit/083f5ffdee661f61512909d16f9a5b98cff3cf0b"
    },
    {
      "type": "WEB",
      "url": "https://hhvm.com/blog/2023/01/20/security-update.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F9JC-68CV-WP63

Vulnerability from github – Published: 2025-01-22 03:30 – Updated: 2025-01-24 00:31
VLAI
Details

This CVE has been issued to inform users that they are using End-of-Life (EOL) versions of Node.js. These versions are no longer supported and do not receive updates, including security patches. The continued use of EOL versions may expose systems to potential security risks due to unaddressed software vulnerabilities or dependencies (CWE-1104: Use of Unmaintained Third-Party Components).

Users are advised to upgrade to actively supported versions of Node.js to ensure continued security updates and support.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23089"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1104"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-22T02:15:34Z",
    "severity": "HIGH"
  },
  "details": "This CVE has been issued to inform users that they are using End-of-Life (EOL) versions of Node.js. These versions are no longer supported and do not receive updates, including security patches. The continued use of EOL versions may expose systems to potential security risks due to unaddressed software vulnerabilities or dependencies (CWE-1104: Use of Unmaintained Third-Party Components).\n\nUsers are advised to upgrade to actively supported versions of Node.js to ensure continued security updates and support.",
  "id": "GHSA-f9jc-68cv-wp63",
  "modified": "2025-01-24T00:31:46Z",
  "published": "2025-01-22T03:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23089"
    },
    {
      "type": "WEB",
      "url": "https://endoflife.date/nodejs"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/january-2025-security-releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FG22-JF8J-5MRR

Vulnerability from github – Published: 2025-10-23 06:30 – Updated: 2025-11-07 21:31
VLAI
Details

Outdated and Vulnerable UI Dependencies might potentially lead to exploitation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12104"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1104"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-23T04:15:52Z",
    "severity": "CRITICAL"
  },
  "details": "Outdated and Vulnerable UI Dependencies might potentially lead to exploitation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.",
  "id": "GHSA-fg22-jf8j-5mrr",
  "modified": "2025-11-07T21:31:20Z",
  "published": "2025-10-23T06:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12104"
    },
    {
      "type": "WEB",
      "url": "https://azure-access.com/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G2WP-R2JM-2M5F

Vulnerability from github – Published: 2024-10-02 15:30 – Updated: 2024-10-02 15:30
VLAI
Details

A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2024.2.0 and older allows writing of arbitrary files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8885"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1104"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-02T13:15:12Z",
    "severity": "HIGH"
  },
  "details": "A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2024.2.0 and older allows writing of arbitrary files.",
  "id": "GHSA-g2wp-r2jm-2m5f",
  "modified": "2024-10-02T15:30:38Z",
  "published": "2024-10-02T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8885"
    },
    {
      "type": "WEB",
      "url": "https://www.sophos.com/en-us/security-advisories/sophos-sa-20241002-cde-lpe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HRPP-F84W-XHFG

Vulnerability from github – Published: 2020-09-04 16:55 – Updated: 2021-10-04 19:13
VLAI
Summary
Outdated Static Dependency in vue-moment
Details

Versions of vue-moment prior to 4.1.0 contain an Outdated Static Dependency. The package depends on moment and has it loaded statically instead of as a dependency that can be updated. It has moment@2.19.1 that contains a Regular Expression Denial of Service vulnerability.

Recommendation

Upgrade to version 4.1.0 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "vue-moment"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1104"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:58:51Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Versions of `vue-moment` prior to 4.1.0 contain an Outdated Static Dependency. The package depends on `moment` and has it loaded statically instead of as a dependency that can be updated. It has `moment@2.19.1` that contains a Regular Expression Denial of Service vulnerability.\n\n\n## Recommendation\n\nUpgrade to version 4.1.0 or later.",
  "id": "GHSA-hrpp-f84w-xhfg",
  "modified": "2021-10-04T19:13:23Z",
  "published": "2020-09-04T16:55:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/brockpetrie/vue-moment/commit/a265e54660a7181a6795a12a97cebac5b305746e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/brockpetrie/vue-moment"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-VUEMOMENT-538934"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1425"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/532"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Outdated Static Dependency in vue-moment"
}

GHSA-J2MF-X92X-CPM8

Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-11 18:30
VLAI
Details

Use of unmaintained third party components for some Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1104"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-11T17:15:39Z",
    "severity": "HIGH"
  },
  "details": "Use of unmaintained third party components for some Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.",
  "id": "GHSA-j2mf-x92x-cpm8",
  "modified": "2025-11-11T18:30:17Z",
  "published": "2025-11-11T18:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20010"
    },
    {
      "type": "WEB",
      "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01334.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PF92-76H5-2R52

Vulnerability from github – Published: 2024-12-17 09:31 – Updated: 2024-12-17 09:31
VLAI
Details

CWE-1104: Use of Unmaintained Third-Party Components vulnerability exists that could cause complete control of the device when an authenticated user installs malicious code into HMI product.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11999"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1104"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-17T07:15:06Z",
    "severity": "HIGH"
  },
  "details": "CWE-1104: Use of Unmaintained Third-Party Components vulnerability exists that could cause complete\ncontrol of the device when an authenticated user installs malicious code into HMI product.",
  "id": "GHSA-pf92-76h5-2r52",
  "modified": "2024-12-17T09:31:05Z",
  "published": "2024-12-17T09:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11999"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-345-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-345-02.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PP8R-VV2J-9J5V

Vulnerability from github – Published: 2022-09-16 17:12 – Updated: 2022-09-16 17:12
VLAI
Summary
traitobject is Unmaintained
Details

Crate traitobject has not had a release for over five years.

In addition there is an existing security advisory that has not been addressed:

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "traitobject"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1104"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T17:12:59Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Crate `traitobject` has not had a release for over five years.\n\nIn addition there is an existing security advisory that has not been addressed:\n\n - [RUSTSEC-2020-0027](https://rustsec.org/advisories/RUSTSEC-2020-0027)\n\n## Possible Alternative(s)\n\n The below list has not been vetted in any way and may or may not contain alternatives;\n\n - [destructure_traitobject]\n\n[destructure_traitobject]: https://crates.io/crates/destructure_traitobject\n",
  "id": "GHSA-pp8r-vv2j-9j5v",
  "modified": "2022-09-16T17:12:59Z",
  "published": "2022-09-16T17:12:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/reem/rust-traitobject/issues/7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/reem/rust-traitobject"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0144.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "traitobject is Unmaintained"
}

GHSA-Q56R-WGJ6-2G29

Vulnerability from github – Published: 2025-07-09 09:31 – Updated: 2025-07-09 09:31
VLAI
Details

The Linux distribution underlying the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) is obsolete and reached end of life (EOL) on June 30, 2024. Thus, any unmitigated vulnerability could be exploited to affect this product.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3497"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1104"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-09T09:15:27Z",
    "severity": "HIGH"
  },
  "details": "The Linux distribution underlying the Radiflow iSAP Smart Collector \n(CentOS 7 - VSAP 1.20) is obsolete and \nreached end of life (EOL) on\nJune 30, 2024.  Thus, any \nunmitigated vulnerability could be exploited to affect this product.",
  "id": "GHSA-q56r-wgj6-2g29",
  "modified": "2025-07-09T09:31:12Z",
  "published": "2025-07-09T09:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3497"
    },
    {
      "type": "WEB",
      "url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2025-3497"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.