CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
View on MITREExtended Description
Attackers might be able to spoof the intended endpoint from a different system or process, thus gaining the same level of access as the intended endpoint. While this issue frequently involves authentication between network-based clients and servers, other types of communication channels and endpoints can have this weakness.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
If an attacker can spoof the endpoint, the attacker gains all the privileges that were intended for the original endpoint.
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
These cross-domain policy files mean to allow Flash and Silverlight applications hosted on other domains to access its data:
Flash crossdomain.xml :
These cross-domain policy files mean to allow Flash and Silverlight applications hosted on other domains to access its data:
Flash crossdomain.xml :
This Android application will remove a user account when it receives an intent to do so:
This application does not check the origin of the intent, thus allowing any malicious application to remove a user. Always check the origin of an intent, or create an allowlist of trusted applications using the manifest.xml file.
Observed CVE Examples (7)
S-bus functionality in a home automation product performs access control using an IP allowlist, which can be bypassed by a forged IP address.
View DetailsA troubleshooting tool exposes a web server on a random port between 9000-65535 that could be used for information gathering
View DetailsA WAN interface on a router has firewall restrictions enabled for IPv4, but it does not for IPv6, which is enabled by default
View DetailsProduct has a Silverlight cross-domain policy that does not restrict access to another application, which allows remote attackers to bypass the Same Origin Policy.
View DetailsMobile banking application does not verify hostname, leading to financial loss.
View Detailschain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversry-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).
View DetailsDNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
View DetailsCWE Relationships
Frequently Asked Questions
What is CWE-923: Improper Restriction of Communication Channel to Intended Endpoints?+
CWE-923: Improper Restriction of Communication Channel to Intended Endpoints is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint. Attackers might be able to spoof the intended endpoint from a different system or process, thus gaining the same level of access as the intended endpoint. While this issue frequently involves authentication between network-based clients and servers, other types of communication channels and endpoints can have this weakness.
What are the security consequences of Improper Restriction of Communication Channel to Intended Endpoints?+
If exploited, CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints) it can compromise Integrity and Confidentiality, leading to outcomes such as Gain Privileges or Assume Identity.
Which programming languages are affected by Improper Restriction of Communication Channel to Intended Endpoints?+
CWE-923 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Improper Restriction of Communication Channel to Intended Endpoints?+
MITRE documents real CVEs mapped to CWE-923, including CVE-2022-30319, CVE-2022-22547, CVE-2022-4390, CVE-2012-2292 and CVE-2012-5810. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-923 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.