Common Weakness Enumeration

CWE-419

Allowed

Unprotected Primary Channel

Abstraction: Base · Status: Draft

The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.

16 vulnerabilities reference this CWE, most recent first.

CVE-2018-12120 (GCVE-0-2018-12120)

Vulnerability from cvelistv5 – Published: 2018-11-28 17:00 – Updated: 2024-08-05 08:24
VLAI
Summary
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.
Severity
No CVSS data available.
CWE
  • CWE-419 - Unprotected Primary Channel
Assigner
References
Impacted products
Vendor Product Version
The Node.js Project Node.js Affected: All versions prior to Node.js 6.15.0
Create a notification for this product.
Date Public
2018-11-28 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T08:24:03.745Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
          },
          {
            "name": "106040",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/106040"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Node.js",
          "vendor": "The Node.js Project",
          "versions": [
            {
              "status": "affected",
              "version": "All versions prior to Node.js 6.15.0"
            }
          ]
        }
      ],
      "datePublic": "2018-11-28T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-419",
              "description": "CWE-419: Unprotected Primary Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-11-29T10:57:01.000Z",
        "orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
        "shortName": "nodejs"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
        },
        {
          "name": "106040",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/106040"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-request@iojs.org",
          "ID": "CVE-2018-12120",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Node.js",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions prior to Node.js 6.15.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "The Node.js Project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-419: Unprotected Primary Channel"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
            },
            {
              "name": "106040",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/106040"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
    "assignerShortName": "nodejs",
    "cveId": "CVE-2018-12120",
    "datePublished": "2018-11-28T17:00:00.000Z",
    "dateReserved": "2018-06-11T00:00:00.000Z",
    "dateUpdated": "2024-08-05T08:24:03.745Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-4QFQ-632Q-HR28

Vulnerability from github – Published: 2024-07-10 09:30 – Updated: 2024-07-11 15:30
VLAI
Details

TONE store App version 3.4.2 and earlier contains an issue with unprotected primary channel. Since TONE store App communicates with TONE store website in cleartext, a man-in-the-middle attack may allow an attacker to obtain and/or alter communications of the affected App.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39886"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-419"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-10T07:15:03Z",
    "severity": "LOW"
  },
  "details": "TONE store App version 3.4.2 and earlier contains an issue with unprotected primary channel. Since TONE store App communicates with TONE store website in cleartext, a man-in-the-middle attack may allow an attacker to obtain and/or alter communications of the affected App.",
  "id": "GHSA-4qfq-632q-hr28",
  "modified": "2024-07-11T15:30:46Z",
  "published": "2024-07-10T09:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39886"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN28515217"
    },
    {
      "type": "WEB",
      "url": "https://tone.ne.jp/vulnerability/14492007.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8XPW-V6VW-79JF

Vulnerability from github – Published: 2024-11-08 09:30 – Updated: 2025-11-04 00:31
VLAI
Details

An unauthenticated attacker with access to the local network of the medical office can use known default credentials to gain remote DBA access to the Elefant Firebird database. The data in the database includes patient data and login credentials among other sensitive data. In addition, this enables an attacker to create and overwrite arbitrary files on the server filesystem with the rights of the Firebird database ("NT AUTHORITY\SYSTEM").

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50588"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393",
      "CWE-419"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-08T09:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "An unauthenticated attacker with access to the local network of the \nmedical office can use known default credentials to gain remote DBA \naccess to the Elefant Firebird database. The data in the database \nincludes patient data and login credentials among other sensitive data. \nIn addition, this enables an attacker to create and overwrite arbitrary \nfiles on the server filesystem with the rights of the Firebird database \n(\"NT AUTHORITY\\SYSTEM\").",
  "id": "GHSA-8xpw-v6vw-79jf",
  "modified": "2025-11-04T00:31:58Z",
  "published": "2024-11-08T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50588"
    },
    {
      "type": "WEB",
      "url": "https://hasomed.de/produkte/elefant"
    },
    {
      "type": "WEB",
      "url": "https://r.sec-consult.com/hasomed"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Nov/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9FRV-H2CF-52WH

Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:50
VLAI
Details

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-419",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-29T01:15:00Z",
    "severity": "HIGH"
  },
  "details": "The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet\u0027s healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.",
  "id": "GHSA-9frv-h2cf-52wh",
  "modified": "2024-04-04T01:50:34Z",
  "published": "2022-05-24T16:55:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11248"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/issues/81023"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/d/msg/kubernetes-security-announce/pKELclHIov8/BEDtRELACQAJ"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190919-0003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J777-63HF-HX76

Vulnerability from github – Published: 2025-01-23 17:51 – Updated: 2025-01-23 17:51
VLAI
Summary
Envoy Admin Interface Exposed through prometheus metrics endpoint
Details

Impact

A user with access to a Kubernetes cluster where Envoy Gateway is installed can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by Envoy Gateway. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data).

For example, the following command, if run from within the Kubernetes cluster, can be used to get the configuration dump of the proxy:

curl --path-as-is http://<Proxy-Service-ClusterIP>:19001/stats/prometheus/../../config_dump

Patches

1.2.6

Workarounds

The EnvoyProxy API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch.

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: custom-proxy-config
  namespace: default
spec:
  bootstrap:
    type: JSONPatch
    jsonPatches:
    - op: "add"
      path: "/static_resources/listeners/0/filter_chains/0/filters/0/typed_config/normalize_path"
      value: true
    - op: "replace"
      path: "/static_resources/listeners/0/filter_chains/0/filters/0/typed_config/route_config/virtual_hosts/0/routes/0/match"
      value:
        path: "/stats/prometheus"
        headers:
          - name: ":method"
            exact_match: GET

References

  • Envoy Admin Interface: https://www.envoyproxy.io/docs/envoy/latest/operations/admin
  • Envoy Configuration Best Practices: https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/gateway"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-419"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-23T17:51:08Z",
    "nvd_published_at": "2025-01-23T04:15:07Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA user with access to a Kubernetes cluster where Envoy Gateway is installed can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by Envoy Gateway. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data). \n\nFor example, the following command, if run from within the Kubernetes cluster, can be used to get the configuration dump of the proxy:\n```\ncurl --path-as-is http://\u003cProxy-Service-ClusterIP\u003e:19001/stats/prometheus/../../config_dump\n```\n### Patches\n1.2.6\n\n### Workarounds\nThe `EnvoyProxy` API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch. \n\n```\napiVersion: gateway.envoyproxy.io/v1alpha1\nkind: EnvoyProxy\nmetadata:\n  name: custom-proxy-config\n  namespace: default\nspec:\n  bootstrap:\n    type: JSONPatch\n    jsonPatches:\n    - op: \"add\"\n      path: \"/static_resources/listeners/0/filter_chains/0/filters/0/typed_config/normalize_path\"\n      value: true\n    - op: \"replace\"\n      path: \"/static_resources/listeners/0/filter_chains/0/filters/0/typed_config/route_config/virtual_hosts/0/routes/0/match\"\n      value:\n        path: \"/stats/prometheus\"\n        headers:\n          - name: \":method\"\n            exact_match: GET\n```\n\n### References\n- Envoy Admin Interface: https://www.envoyproxy.io/docs/envoy/latest/operations/admin\n- Envoy Configuration Best Practices: https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge",
  "id": "GHSA-j777-63hf-hx76",
  "modified": "2025-01-23T17:51:08Z",
  "published": "2025-01-23T17:51:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/gateway/security/advisories/GHSA-j777-63hf-hx76"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24030"
    },
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/gateway/commit/3eb3301ab3dbf12b201b47bdb6074d1233be07bd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/envoyproxy/gateway"
    },
    {
      "type": "WEB",
      "url": "https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge"
    },
    {
      "type": "WEB",
      "url": "https://www.envoyproxy.io/docs/envoy/latest/operations/admin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Envoy Admin Interface Exposed through prometheus metrics endpoint"
}

GHSA-W959-V6JH-CHCH

Vulnerability from github – Published: 2024-03-13 12:31 – Updated: 2024-03-13 12:31
VLAI
Details

The primary channel is unprotected on Movistar 4G router affecting E version S_WLD71-T1_v2.0.201820. This device has the 'adb' service open on port 5555 and provides access to a shell with root privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2414"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-419"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-13T12:15:06Z",
    "severity": "HIGH"
  },
  "details": "The primary channel is unprotected on Movistar 4G router affecting E version S_WLD71-T1_v2.0.201820. This device has the \u0027adb\u0027 service open on port 5555 and provides access to a shell with root privileges.",
  "id": "GHSA-w959-v6jh-chch",
  "modified": "2024-03-13T12:31:07Z",
  "published": "2024-03-13T12:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2414"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-movistar-4g-router"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Do not expose administrative functionnality on the user UI.

Mitigation
Architecture and Design

Protect the administrative/restricted functionality with a strong authentication mechanism.

CAPEC-383: Harvesting Information via API Event Monitoring

An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script.