A9 – Using components with known vulnerabilities
The problem here is external, somehow. There are libraries with vulnerabilities that can be identified and exploited using automated tools. In this way, the threat agent can be expanded beyond well-known forms of attacks, to include an unknown factor of risk.
The official definition defines A9, stating that:
"Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts."
At first, it seems easy to find out whether a commercial or open source component has known vulnerabilities. However, different versions pose a factor of risk, especially the latest ones, which are supposed to be more secure and fix old problems on the one hand, but on the other hand...