CWE-419
AllowedUnprotected Primary Channel
Abstraction: Base · Status: Draft
The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.
16 vulnerabilities reference this CWE, most recent first.
CVE-2018-12120 (GCVE-0-2018-12120)
Vulnerability from cvelistv5 – Published: 2018-11-28 17:00 – Updated: 2024-08-05 08:24- CWE-419 - Unprotected Primary Channel
| URL | Tags |
|---|---|
| https://nodejs.org/en/blog/vulnerability/november… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/106040 | vdb-entryx_refsource_BID |
| Vendor | Product | Version | |
|---|---|---|---|
| The Node.js Project | Node.js |
Affected:
All versions prior to Node.js 6.15.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:24:03.745Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106040",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106040"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "All versions prior to Node.js 6.15.0"
}
]
}
],
"datePublic": "2018-11-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-419",
"description": "CWE-419: Unprotected Primary Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-11-29T10:57:01.000Z",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106040",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106040"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2018-12120",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to Node.js 6.15.0"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-419: Unprotected Primary Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106040",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106040"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-12120",
"datePublished": "2018-11-28T17:00:00.000Z",
"dateReserved": "2018-06-11T00:00:00.000Z",
"dateUpdated": "2024-08-05T08:24:03.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-4QFQ-632Q-HR28
Vulnerability from github – Published: 2024-07-10 09:30 – Updated: 2024-07-11 15:30TONE store App version 3.4.2 and earlier contains an issue with unprotected primary channel. Since TONE store App communicates with TONE store website in cleartext, a man-in-the-middle attack may allow an attacker to obtain and/or alter communications of the affected App.
{
"affected": [],
"aliases": [
"CVE-2024-39886"
],
"database_specific": {
"cwe_ids": [
"CWE-419"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-10T07:15:03Z",
"severity": "LOW"
},
"details": "TONE store App version 3.4.2 and earlier contains an issue with unprotected primary channel. Since TONE store App communicates with TONE store website in cleartext, a man-in-the-middle attack may allow an attacker to obtain and/or alter communications of the affected App.",
"id": "GHSA-4qfq-632q-hr28",
"modified": "2024-07-11T15:30:46Z",
"published": "2024-07-10T09:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39886"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN28515217"
},
{
"type": "WEB",
"url": "https://tone.ne.jp/vulnerability/14492007.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8XPW-V6VW-79JF
Vulnerability from github – Published: 2024-11-08 09:30 – Updated: 2025-11-04 00:31An unauthenticated attacker with access to the local network of the medical office can use known default credentials to gain remote DBA access to the Elefant Firebird database. The data in the database includes patient data and login credentials among other sensitive data. In addition, this enables an attacker to create and overwrite arbitrary files on the server filesystem with the rights of the Firebird database ("NT AUTHORITY\SYSTEM").
{
"affected": [],
"aliases": [
"CVE-2024-50588"
],
"database_specific": {
"cwe_ids": [
"CWE-1393",
"CWE-419"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-08T09:15:07Z",
"severity": "CRITICAL"
},
"details": "An unauthenticated attacker with access to the local network of the \nmedical office can use known default credentials to gain remote DBA \naccess to the Elefant Firebird database. The data in the database \nincludes patient data and login credentials among other sensitive data. \nIn addition, this enables an attacker to create and overwrite arbitrary \nfiles on the server filesystem with the rights of the Firebird database \n(\"NT AUTHORITY\\SYSTEM\").",
"id": "GHSA-8xpw-v6vw-79jf",
"modified": "2025-11-04T00:31:58Z",
"published": "2024-11-08T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50588"
},
{
"type": "WEB",
"url": "https://hasomed.de/produkte/elefant"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/hasomed"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Nov/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9FRV-H2CF-52WH
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:50The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.
{
"affected": [],
"aliases": [
"CVE-2019-11248"
],
"database_specific": {
"cwe_ids": [
"CWE-419",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-29T01:15:00Z",
"severity": "HIGH"
},
"details": "The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet\u0027s healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.",
"id": "GHSA-9frv-h2cf-52wh",
"modified": "2024-04-04T01:50:34Z",
"published": "2022-05-24T16:55:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11248"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/81023"
},
{
"type": "WEB",
"url": "https://groups.google.com/d/msg/kubernetes-security-announce/pKELclHIov8/BEDtRELACQAJ"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190919-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-J777-63HF-HX76
Vulnerability from github – Published: 2025-01-23 17:51 – Updated: 2025-01-23 17:51Impact
A user with access to a Kubernetes cluster where Envoy Gateway is installed can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by Envoy Gateway. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data).
For example, the following command, if run from within the Kubernetes cluster, can be used to get the configuration dump of the proxy:
curl --path-as-is http://<Proxy-Service-ClusterIP>:19001/stats/prometheus/../../config_dump
Patches
1.2.6
Workarounds
The EnvoyProxy API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch.
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
name: custom-proxy-config
namespace: default
spec:
bootstrap:
type: JSONPatch
jsonPatches:
- op: "add"
path: "/static_resources/listeners/0/filter_chains/0/filters/0/typed_config/normalize_path"
value: true
- op: "replace"
path: "/static_resources/listeners/0/filter_chains/0/filters/0/typed_config/route_config/virtual_hosts/0/routes/0/match"
value:
path: "/stats/prometheus"
headers:
- name: ":method"
exact_match: GET
References
- Envoy Admin Interface: https://www.envoyproxy.io/docs/envoy/latest/operations/admin
- Envoy Configuration Best Practices: https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/gateway"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24030"
],
"database_specific": {
"cwe_ids": [
"CWE-419"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-23T17:51:08Z",
"nvd_published_at": "2025-01-23T04:15:07Z",
"severity": "HIGH"
},
"details": "### Impact\nA user with access to a Kubernetes cluster where Envoy Gateway is installed can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by Envoy Gateway. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data). \n\nFor example, the following command, if run from within the Kubernetes cluster, can be used to get the configuration dump of the proxy:\n```\ncurl --path-as-is http://\u003cProxy-Service-ClusterIP\u003e:19001/stats/prometheus/../../config_dump\n```\n### Patches\n1.2.6\n\n### Workarounds\nThe `EnvoyProxy` API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch. \n\n```\napiVersion: gateway.envoyproxy.io/v1alpha1\nkind: EnvoyProxy\nmetadata:\n name: custom-proxy-config\n namespace: default\nspec:\n bootstrap:\n type: JSONPatch\n jsonPatches:\n - op: \"add\"\n path: \"/static_resources/listeners/0/filter_chains/0/filters/0/typed_config/normalize_path\"\n value: true\n - op: \"replace\"\n path: \"/static_resources/listeners/0/filter_chains/0/filters/0/typed_config/route_config/virtual_hosts/0/routes/0/match\"\n value:\n path: \"/stats/prometheus\"\n headers:\n - name: \":method\"\n exact_match: GET\n```\n\n### References\n- Envoy Admin Interface: https://www.envoyproxy.io/docs/envoy/latest/operations/admin\n- Envoy Configuration Best Practices: https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge",
"id": "GHSA-j777-63hf-hx76",
"modified": "2025-01-23T17:51:08Z",
"published": "2025-01-23T17:51:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/envoyproxy/gateway/security/advisories/GHSA-j777-63hf-hx76"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24030"
},
{
"type": "WEB",
"url": "https://github.com/envoyproxy/gateway/commit/3eb3301ab3dbf12b201b47bdb6074d1233be07bd"
},
{
"type": "PACKAGE",
"url": "https://github.com/envoyproxy/gateway"
},
{
"type": "WEB",
"url": "https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge"
},
{
"type": "WEB",
"url": "https://www.envoyproxy.io/docs/envoy/latest/operations/admin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Envoy Admin Interface Exposed through prometheus metrics endpoint"
}
GHSA-W959-V6JH-CHCH
Vulnerability from github – Published: 2024-03-13 12:31 – Updated: 2024-03-13 12:31The primary channel is unprotected on Movistar 4G router affecting E version S_WLD71-T1_v2.0.201820. This device has the 'adb' service open on port 5555 and provides access to a shell with root privileges.
{
"affected": [],
"aliases": [
"CVE-2024-2414"
],
"database_specific": {
"cwe_ids": [
"CWE-419"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-13T12:15:06Z",
"severity": "HIGH"
},
"details": "The primary channel is unprotected on Movistar 4G router affecting E version S_WLD71-T1_v2.0.201820. This device has the \u0027adb\u0027 service open on port 5555 and provides access to a shell with root privileges.",
"id": "GHSA-w959-v6jh-chch",
"modified": "2024-03-13T12:31:07Z",
"published": "2024-03-13T12:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2414"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-movistar-4g-router"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Do not expose administrative functionnality on the user UI.
Mitigation
Protect the administrative/restricted functionality with a strong authentication mechanism.
CAPEC-383: Harvesting Information via API Event Monitoring
An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script.