Home › BCA Cyber Security › cybersecurity › Web Security — OWASP › Which OWASP category covers using libraries with…
Which OWASP category covers using libraries with KNOWN CVEs?
AA01: Broken Access Control
BA03: Injection
CA06: Vulnerable and Outdated Components
DA10: SSRF
Answer & Solution
Correct answer: C. A06: Vulnerable and Outdated Components
1. A06: VULNERABLE AND OUTDATED COMPONENTS (2021, was 'Using Components with Known Vulnerabilities' in 2017).
2. Modern apps inherit hundreds of third-party libraries — any one with a known CVE can compromise the whole app.
3. Notable cases:
• Equifax 2017 breach: unpatched Apache Struts (CVE-2017-5638) — exposed 147M records.
• Log4Shell 2021: Log4j RCE (CVE-2021-44228) — internet-wide emergency patching event.
4. MITIGATIONS: software composition analysis (SCA) tools (Dependabot, Snyk), regular dep updates, dependency pinning + auto-merge of security patches.
5. SBOM (Software Bill of Materials): inventory of every component for visibility.
_Source: OWASP Top 10 2021 — A06: Vulnerable and Outdated Components._
Related questions
What does HTTPS provide over plain HTTP?OWASP recommends LOGGING and MONITORING for the SECURITY LIFECYCLE becauseAn IDOR (Insecure Direct Object Reference) attack happens whenCROSS-SITE REQUEST FORGERY (CSRF) is best mitigated byWhich mitigation is the SINGLE most effective defense against SQL Injection?SERVER-SIDE REQUEST FORGERY (SSRF) — A10 in OWASP 2021 — happens whenWhat does the SECURITY MISCONFIGURATION category (A05 in 2021) typically include?The OWASP 2021 category A04 'INSECURE DESIGN' is a NEW category that addresses