Detections
Analytics
Package Dependencies Detected
medium Web App Scanning Plugin ID 113158
Language:
Synopsis
Package Dependencies DetectedDescription
Programming languages are often used along with package management tools designed to help developers manages the code dependencies when building their web applications (for example : Composer for PHP, NPM for NodeJS, PIP for Python...). These tools usually work by requesting public code repositories in order to fetch the dependencies and help installing and using specific versions in the project.When package configuration files are exposed, an attacker could use it to infer the software components used in the target application and to try conduct further attacks.
Solution
Ensure that the package management tool files are not deployed with the application or, at least, is not exposed in a web server directory by setting proper permissions on it. Review the software components used in the application to ensure that they are expected and that they come from trusted distribution sources.See Also
Plugin Details
Severity: Medium
ID: 113158
Type: remote
Family: Data Exposure
Published: 2/23/2022
Updated: 3/18/2024
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Low
Score: 1.4
CVSS v2
Risk Factor: Medium
Base Score: 5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Medium
Base Score: 5.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score Source: Tenable
Reference Information
OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A1, 2021-A5
WASC: Application Misconfiguration, Predictable Resource Location
CAPEC: 95
DISA STIG: APSC-DV-002480
HIPAA: 164.312(a)(1), 164.312(a)(2)(i)
ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3
OWASP API: 2019-API3, 2019-API7, 2023-API3, 2023-API8
PCI-DSS: 3.2-2.2