Description
The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
Attackers might be able to spoof the intended endpoint from a different system or process, thus gaining the same level of access as the intended endpoint. While this issue frequently involves authentication between network-based clients and servers, other types of communication channels and endpoints can have this weakness.
Potential Impact
Integrity, Confidentiality
Gain Privileges or Assume Identity
Demonstrative Examples
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd"><allow-access-from domain="*.example.com"/><allow-access-from domain="*"/></cross-domain-policy><?xml version="1.0" encoding="utf-8"?><access-policy><cross-domain-access><policy><allow-from http-request-headers="SOAPAction"><domain uri="*"/></allow-from><grant-to><resource path="/" include-subpaths="true"/></grant-to></policy></cross-domain-access></access-policy>IntentFilter filter = new IntentFilter("com.example.RemoveUser");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter);
public class DeleteReceiver extends BroadcastReceiver {@Overridepublic void onReceive(Context context, Intent intent) {int userID = intent.getIntExtra("userID");destroyUserData(userID);}}Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2022-30319 | S-bus functionality in a home automation product performs access control using an IP allowlist, which can be bypassed by a forged IP address. |
| CVE-2022-22547 | A troubleshooting tool exposes a web server on a random port between 9000-65535 that could be used for information gathering |
| CVE-2022-4390 | A WAN interface on a router has firewall restrictions enabled for IPv4, but it does not for IPv6, which is enabled by default |
| CVE-2012-2292 | Product has a Silverlight cross-domain policy that does not restrict access to another application, which allows remote attackers to bypass the Same Origin Policy. |
| CVE-2012-5810 | Mobile banking application does not verify hostname, leading to financial loss. |
| CVE-2014-1266 | Chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-56 |
| CVE-2000-1218 | DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning |
Related Weaknesses
Frequently Asked Questions
What is CWE-923?
CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
How can CWE-923 be exploited?
Attackers can exploit CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints) to gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design phase of software development.
How do I prevent CWE-923?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-923?
CWE-923 is classified as a Class-level weakness (High abstraction). It has been observed in 7 real-world CVEs.