CWE-1104
AllowedUse of Unmaintained Third Party Components
Abstraction: Base · Status: Incomplete
The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.
45 vulnerabilities reference this CWE, most recent first.
GHSA-CCQC-VX6W-76X6
Vulnerability from github – Published: 2023-12-25 00:30 – Updated: 2024-01-09 21:30Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.
{
"affected": [],
"aliases": [
"CVE-2023-7102"
],
"database_specific": {
"cwe_ids": [
"CWE-1104"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-24T22:15:08Z",
"severity": "CRITICAL"
},
"details": "Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.\n\n",
"id": "GHSA-ccqc-vx6w-76x6",
"modified": "2024-01-09T21:30:27Z",
"published": "2023-12-25T00:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7102"
},
{
"type": "WEB",
"url": "https://github.com/haile01/perl_spreadsheet_excel_rce_poc"
},
{
"type": "WEB",
"url": "https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171"
},
{
"type": "WEB",
"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md"
},
{
"type": "WEB",
"url": "https://metacpan.org/dist/Spreadsheet-ParseExcel"
},
{
"type": "WEB",
"url": "https://www.barracuda.com/company/legal/esg-vulnerability"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-7101"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F3QF-GC58-29P6
Vulnerability from github – Published: 2023-05-10 21:30 – Updated: 2024-04-04 04:01HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3.
Applications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected.
{
"affected": [],
"aliases": [
"CVE-2022-36937"
],
"database_specific": {
"cwe_ids": [
"CWE-1104",
"CWE-327"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-10T19:15:08Z",
"severity": "CRITICAL"
},
"details": "HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3.\n\nApplications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected.",
"id": "GHSA-f3qf-gc58-29p6",
"modified": "2024-04-04T04:01:24Z",
"published": "2023-05-10T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36937"
},
{
"type": "WEB",
"url": "https://github.com/facebook/hhvm/commit/083f5ffdee661f61512909d16f9a5b98cff3cf0b"
},
{
"type": "WEB",
"url": "https://hhvm.com/blog/2023/01/20/security-update.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F9JC-68CV-WP63
Vulnerability from github – Published: 2025-01-22 03:30 – Updated: 2025-01-24 00:31This CVE has been issued to inform users that they are using End-of-Life (EOL) versions of Node.js. These versions are no longer supported and do not receive updates, including security patches. The continued use of EOL versions may expose systems to potential security risks due to unaddressed software vulnerabilities or dependencies (CWE-1104: Use of Unmaintained Third-Party Components).
Users are advised to upgrade to actively supported versions of Node.js to ensure continued security updates and support.
{
"affected": [],
"aliases": [
"CVE-2025-23089"
],
"database_specific": {
"cwe_ids": [
"CWE-1104"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-22T02:15:34Z",
"severity": "HIGH"
},
"details": "This CVE has been issued to inform users that they are using End-of-Life (EOL) versions of Node.js. These versions are no longer supported and do not receive updates, including security patches. The continued use of EOL versions may expose systems to potential security risks due to unaddressed software vulnerabilities or dependencies (CWE-1104: Use of Unmaintained Third-Party Components).\n\nUsers are advised to upgrade to actively supported versions of Node.js to ensure continued security updates and support.",
"id": "GHSA-f9jc-68cv-wp63",
"modified": "2025-01-24T00:31:46Z",
"published": "2025-01-22T03:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23089"
},
{
"type": "WEB",
"url": "https://endoflife.date/nodejs"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/january-2025-security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FG22-JF8J-5MRR
Vulnerability from github – Published: 2025-10-23 06:30 – Updated: 2025-11-07 21:31Outdated and Vulnerable UI Dependencies might potentially lead to exploitation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
{
"affected": [],
"aliases": [
"CVE-2025-12104"
],
"database_specific": {
"cwe_ids": [
"CWE-1104"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-23T04:15:52Z",
"severity": "CRITICAL"
},
"details": "Outdated and Vulnerable UI Dependencies might potentially lead to exploitation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.",
"id": "GHSA-fg22-jf8j-5mrr",
"modified": "2025-11-07T21:31:20Z",
"published": "2025-10-23T06:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12104"
},
{
"type": "WEB",
"url": "https://azure-access.com/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G2WP-R2JM-2M5F
Vulnerability from github – Published: 2024-10-02 15:30 – Updated: 2024-10-02 15:30A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2024.2.0 and older allows writing of arbitrary files.
{
"affected": [],
"aliases": [
"CVE-2024-8885"
],
"database_specific": {
"cwe_ids": [
"CWE-1104"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-02T13:15:12Z",
"severity": "HIGH"
},
"details": "A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2024.2.0 and older allows writing of arbitrary files.",
"id": "GHSA-g2wp-r2jm-2m5f",
"modified": "2024-10-02T15:30:38Z",
"published": "2024-10-02T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8885"
},
{
"type": "WEB",
"url": "https://www.sophos.com/en-us/security-advisories/sophos-sa-20241002-cde-lpe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HRPP-F84W-XHFG
Vulnerability from github – Published: 2020-09-04 16:55 – Updated: 2021-10-04 19:13Versions of vue-moment prior to 4.1.0 contain an Outdated Static Dependency. The package depends on moment and has it loaded statically instead of as a dependency that can be updated. It has moment@2.19.1 that contains a Regular Expression Denial of Service vulnerability.
Recommendation
Upgrade to version 4.1.0 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "vue-moment"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1104"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:58:51Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Versions of `vue-moment` prior to 4.1.0 contain an Outdated Static Dependency. The package depends on `moment` and has it loaded statically instead of as a dependency that can be updated. It has `moment@2.19.1` that contains a Regular Expression Denial of Service vulnerability.\n\n\n## Recommendation\n\nUpgrade to version 4.1.0 or later.",
"id": "GHSA-hrpp-f84w-xhfg",
"modified": "2021-10-04T19:13:23Z",
"published": "2020-09-04T16:55:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/brockpetrie/vue-moment/commit/a265e54660a7181a6795a12a97cebac5b305746e"
},
{
"type": "PACKAGE",
"url": "https://github.com/brockpetrie/vue-moment"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-VUEMOMENT-538934"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1425"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/532"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Outdated Static Dependency in vue-moment"
}
GHSA-J2MF-X92X-CPM8
Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-11 18:30Use of unmaintained third party components for some Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
{
"affected": [],
"aliases": [
"CVE-2025-20010"
],
"database_specific": {
"cwe_ids": [
"CWE-1104"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T17:15:39Z",
"severity": "HIGH"
},
"details": "Use of unmaintained third party components for some Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.",
"id": "GHSA-j2mf-x92x-cpm8",
"modified": "2025-11-11T18:30:17Z",
"published": "2025-11-11T18:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20010"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01334.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PF92-76H5-2R52
Vulnerability from github – Published: 2024-12-17 09:31 – Updated: 2024-12-17 09:31CWE-1104: Use of Unmaintained Third-Party Components vulnerability exists that could cause complete control of the device when an authenticated user installs malicious code into HMI product.
{
"affected": [],
"aliases": [
"CVE-2024-11999"
],
"database_specific": {
"cwe_ids": [
"CWE-1104"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-17T07:15:06Z",
"severity": "HIGH"
},
"details": "CWE-1104: Use of Unmaintained Third-Party Components vulnerability exists that could cause complete\ncontrol of the device when an authenticated user installs malicious code into HMI product.",
"id": "GHSA-pf92-76h5-2r52",
"modified": "2024-12-17T09:31:05Z",
"published": "2024-12-17T09:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11999"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-345-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-345-02.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PP8R-VV2J-9J5V
Vulnerability from github – Published: 2022-09-16 17:12 – Updated: 2022-09-16 17:12Crate traitobject has not had a release for over five years.
In addition there is an existing security advisory that has not been addressed:
Possible Alternative(s)
The below list has not been vetted in any way and may or may not contain alternatives;
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "traitobject"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1104"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-16T17:12:59Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Crate `traitobject` has not had a release for over five years.\n\nIn addition there is an existing security advisory that has not been addressed:\n\n - [RUSTSEC-2020-0027](https://rustsec.org/advisories/RUSTSEC-2020-0027)\n\n## Possible Alternative(s)\n\n The below list has not been vetted in any way and may or may not contain alternatives;\n\n - [destructure_traitobject]\n\n[destructure_traitobject]: https://crates.io/crates/destructure_traitobject\n",
"id": "GHSA-pp8r-vv2j-9j5v",
"modified": "2022-09-16T17:12:59Z",
"published": "2022-09-16T17:12:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/reem/rust-traitobject/issues/7"
},
{
"type": "PACKAGE",
"url": "https://github.com/reem/rust-traitobject"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0144.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "traitobject is Unmaintained"
}
GHSA-Q56R-WGJ6-2G29
Vulnerability from github – Published: 2025-07-09 09:31 – Updated: 2025-07-09 09:31The Linux distribution underlying the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) is obsolete and reached end of life (EOL) on June 30, 2024. Thus, any unmitigated vulnerability could be exploited to affect this product.
{
"affected": [],
"aliases": [
"CVE-2025-3497"
],
"database_specific": {
"cwe_ids": [
"CWE-1104"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-09T09:15:27Z",
"severity": "HIGH"
},
"details": "The Linux distribution underlying the Radiflow iSAP Smart Collector \n(CentOS 7 - VSAP 1.20) is obsolete and \nreached end of life (EOL) on\nJune 30, 2024. Thus, any \nunmitigated vulnerability could be exploited to affect this product.",
"id": "GHSA-q56r-wgj6-2g29",
"modified": "2025-07-09T09:31:12Z",
"published": "2025-07-09T09:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3497"
},
{
"type": "WEB",
"url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2025-3497"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.