LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is A06 Vulnerable and Outdated Components?

Your own code can be perfect, but a library, framework, or dependency you pull in has a publicly known CVE — and attackers scan for exactly those versions. The fix is knowing what you depend on and patching it fast.

The textbook example is Equifax (2017): a known, patched flaw in the Apache Struts framework went un-updated for months, and attackers used it to breach 147 million records. The lesson is that modern apps are mostly other people's code (often 80%+ by line count), so "is anything I depend on vulnerable?" is a question you must answer continuously, not once. Tools like Dependency-Track and the NVD CVE database automate that watch.

Issues:

  • Outdated components with known vulnerabilities
  • Unsupported components (no security patches)
  • Insufficient patching process
  • Insufficient testing after updates

Countermeasures:

  • Remove unnecessary dependencies
  • Update regularly based on risk
  • Continuously monitor components (e.g., Dependency Track)
  • Obtain components from official sources only

See: OWASP Dependency-Track | NVD — search known CVEs for your components

Go deeper:

From Quiz: SPRG / OWASP Top 10 | Updated: Jul 05, 2026