What is the authoritative source for CWE-1395?

Dependency on Vulnerable Third-Party Component (CWE-1395) is catalogued in MITRE CWE and curated for EU compliance use cases by SQUR.

ClassIncomplete

CWE-1395Dependency on Vulnerable Third-Party Component

Category: other

The product has a dependency on a third-party component that contains one or more known vulnerabilities.

Confidentiality / Integrity / Availability — Varies by Context
The consequences vary widely, depending on the vulnerabilities that exist in the component; how those vulnerabilities can be "reached" by adversaries, as the exploitation paths and attack surface will vary depending on how the component is used; and the criticality of the privilege levels and features for which the product relies on the component.

[Requirements, Policy]In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
[Requirements]Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
[Architecture and Design, Implementation, Integration, Manufacturing]Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
[Operation, Patching and Maintenance]Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
[Operation, Patching and Maintenance]Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.