CWE-420
AllowedUnprotected Alternate Channel
Abstraction: Base · Status: Draft
The product protects a primary channel, but it does not use the same level of protection for an alternate channel.
71 vulnerabilities reference this CWE, most recent first.
GHSA-RG5H-X2JJ-82PX
Vulnerability from github – Published: 2025-09-11 21:31 – Updated: 2025-09-11 21:31An internal product security audit of Lenovo XClarity Orchestrator (LXCO) discovered the below vulnerability:
An attacker with access to a device on the local Lenovo XClarity Orchestrator (LXCO) network segment may be able to manipulate the local device to create an alternate communication channel which could allow the attacker, under certain conditions, to directly interact with backend LXCO API services typically inaccessible to users. While access controls may limit the scope of interaction, this could result in unauthorized access to internal functionality or data. This issue is not exploitable from remote networks.
{
"affected": [],
"aliases": [
"CVE-2025-8557"
],
"database_specific": {
"cwe_ids": [
"CWE-420"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-11T19:15:35Z",
"severity": "HIGH"
},
"details": "An internal product security audit of Lenovo XClarity Orchestrator (LXCO) discovered the below vulnerability:\n\nAn attacker with access to a device on the local Lenovo XClarity Orchestrator (LXCO) network segment may be able to manipulate the local device to create an alternate communication channel which could allow the attacker, under certain conditions, to directly interact with backend LXCO API services typically inaccessible to users. While access controls may limit the scope of interaction, this could result in unauthorized access to internal functionality or data. This issue is not exploitable from remote networks.",
"id": "GHSA-rg5h-x2jj-82px",
"modified": "2025-09-11T21:31:55Z",
"published": "2025-09-11T21:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8557"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-201014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RH5Q-V9WW-RQGM
Vulnerability from github – Published: 2025-07-18 21:30 – Updated: 2025-10-22 00:33CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
{
"affected": [],
"aliases": [
"CVE-2025-54309"
],
"database_specific": {
"cwe_ids": [
"CWE-420"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-18T19:15:25Z",
"severity": "CRITICAL"
},
"details": "CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.",
"id": "GHSA-rh5q-v9ww-rqgm",
"modified": "2025-10-22T00:33:19Z",
"published": "2025-07-18T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54309"
},
{
"type": "WEB",
"url": "https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309"
},
{
"type": "WEB",
"url": "https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025"
},
{
"type": "WEB",
"url": "https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W9X5-M47G-3GX6
Vulnerability from github – Published: 2025-04-08 18:34 – Updated: 2025-04-08 18:34IBM Personal Communications v14 and v15 include a Windows service that is vulnerable to local privilege escalation (LPE). The vulnerability allows any interactively logged in users on the target computer to run commands with full privileges in the context of NT AUTHORITY\SYSTEM. This allows for a low privileged attacker to escalate their privileges. This vulnerability is due to an incomplete fix for CVE-2024-25029.
{
"affected": [],
"aliases": [
"CVE-2025-1095"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-420"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T16:15:24Z",
"severity": "HIGH"
},
"details": "IBM Personal Communications v14 and v15 include a Windows service that is vulnerable to local privilege escalation (LPE). The vulnerability allows any interactively logged in users on the target computer to run commands with full privileges in the context of NT AUTHORITY\\SYSTEM. This allows for a low privileged attacker to escalate their privileges. This vulnerability is due to an incomplete fix for CVE-2024-25029.",
"id": "GHSA-w9x5-m47g-3gx6",
"modified": "2025-04-08T18:34:41Z",
"published": "2025-04-08T18:34:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1095"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7230335"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQV3-8CM6-H6WG
Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2023-01-06 22:23A security issue was discovered in the Kubelet and kube-proxy components of Kubernetes which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. For example, if a cluster administrator runs a TCP service on a node that listens on 127.0.0.1:1234, because of this bug, that service would be potentially reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service. If the example service on port 1234 required no additional authentication (because it assumed that only other localhost processes could reach it), then it could be vulnerable to attacks that make use of this bug.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.18.0"
},
{
"fixed": "1.18.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.17.0"
},
{
"fixed": "1.17.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-8558"
],
"database_specific": {
"cwe_ids": [
"CWE-420"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-24T19:30:36Z",
"nvd_published_at": "2020-07-27T20:15:00Z",
"severity": "HIGH"
},
"details": "A security issue was discovered in the Kubelet and kube-proxy components of Kubernetes which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node\u0027s network namespace. For example, if a cluster administrator runs a TCP service on a node that listens on 127.0.0.1:1234, because of this bug, that service would be potentially reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service. If the example service on port 1234 required no additional authentication (because it assumed that only other localhost processes could reach it), then it could be vulnerable to attacks that make use of this bug.",
"id": "GHSA-wqv3-8cm6-h6wg",
"modified": "2023-01-06T22:23:41Z",
"published": "2022-02-15T01:57:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bottlerocket-os/bottlerocket/security/advisories/GHSA-wqv3-8cm6-h6wg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8558"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/92315"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843358"
},
{
"type": "WEB",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8558"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://github.com/tabbysable/POC-2020-8558"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE"
},
{
"type": "WEB",
"url": "https://labs.bishopfox.com/tech-blog/bad-pods-kubernetes-pod-privilege-escalation"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200821-0001"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2020/07/08/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Authentication in Kubernetes"
}
GHSA-WXXX-GVQV-XP7P
Vulnerability from github – Published: 2026-05-11 16:17 – Updated: 2026-05-11 16:17Impact
The POST /guardrails/test_custom_code endpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process — which runs as root in the default Docker image.
Reaching the endpoint requires a proxy-admin credential in default configurations.
Patches
Fixed in 1.83.11. The hand-rolled sandbox has been replaced with RestrictedPython. Upgrade to 1.83.11 or later.
Workarounds
If upgrading is not immediately possible, block POST /guardrails/test_custom_code at your reverse proxy or API gateway.
References
- Patched release:
v1.83.10-stable
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "litellm"
},
"ranges": [
{
"events": [
{
"introduced": "1.81.8"
},
{
"fixed": "1.83.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40217"
],
"database_specific": {
"cwe_ids": [
"CWE-420",
"CWE-913"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-11T16:17:23Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nThe `POST /guardrails/test_custom_code` endpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process \u2014 which runs as root in the default Docker image.\n\n**Reaching the endpoint requires a proxy-admin credential** in default configurations.\n\n### Patches\n\nFixed in **`1.83.11`**. The hand-rolled sandbox has been replaced with `RestrictedPython`. Upgrade to `1.83.11` or later.\n\n### Workarounds\n\nIf upgrading is not immediately possible, block `POST /guardrails/test_custom_code` at your reverse proxy or API gateway.\n\n### References\n\n- Patched release: [`v1.83.10-stable`](https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stable)",
"id": "GHSA-wxxx-gvqv-xp7p",
"modified": "2026-05-11T16:17:23Z",
"published": "2026-05-11T16:17:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-wxxx-gvqv-xp7p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40217"
},
{
"type": "PACKAGE",
"url": "https://github.com/BerriAI/litellm"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stable"
},
{
"type": "WEB",
"url": "https://www.x41-dsec.de/lab/advisories/x41-2026-001-litellm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LiteLLM has a sandbox escape in custom-code guardrail"
}
GHSA-X6FH-7QMF-69XH
Vulnerability from github – Published: 2025-10-23 06:31 – Updated: 2025-10-23 16:49Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/slackhq/nebula"
},
"ranges": [
{
"events": [
{
"introduced": "1.9.4"
},
{
"fixed": "1.9.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62820"
],
"database_specific": {
"cwe_ids": [
"CWE-420"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-23T16:49:07Z",
"nvd_published_at": "2025-10-23T04:18:57Z",
"severity": "MODERATE"
},
"details": "Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network.",
"id": "GHSA-x6fh-7qmf-69xh",
"modified": "2025-10-23T16:49:07Z",
"published": "2025-10-23T06:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62820"
},
{
"type": "WEB",
"url": "https://github.com/slackhq/nebula/pull/1493"
},
{
"type": "WEB",
"url": "https://github.com/slackhq/nebula/pull/1494"
},
{
"type": "WEB",
"url": "https://github.com/slackhq/nebula/commit/e264a0ff888c7bf0568579306755a60fc42f6ecc"
},
{
"type": "PACKAGE",
"url": "https://github.com/slackhq/nebula"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Slack Nebula may accept arbitrary source IP addresses "
}
GHSA-X96R-V3VC-578H
Vulnerability from github – Published: 2025-11-19 18:31 – Updated: 2025-12-02 18:30Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.
{
"affected": [],
"aliases": [
"CVE-2025-13315"
],
"database_specific": {
"cwe_ids": [
"CWE-420"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-19T18:15:47Z",
"severity": "CRITICAL"
},
"details": "Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator\u0027s username and encrypted password.",
"id": "GHSA-x96r-v3vc-578h",
"modified": "2025-12-02T18:30:26Z",
"published": "2025-11-19T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13315"
},
{
"type": "WEB",
"url": "https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XF23-WGV8-93V6
Vulnerability from github – Published: 2023-04-19 12:30 – Updated: 2024-04-04 03:35Unprotected Alternate Channel vulnerability in debug console of GateManager allows system administrator to obtain sensitive information.
{
"affected": [],
"aliases": [
"CVE-2023-0317"
],
"database_specific": {
"cwe_ids": [
"CWE-420"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-19T12:15:07Z",
"severity": "MODERATE"
},
"details": "Unprotected Alternate Channel vulnerability in debug console of GateManager allows system administrator to obtain sensitive information.",
"id": "GHSA-xf23-wgv8-93v6",
"modified": "2024-04-04T03:35:09Z",
"published": "2023-04-19T12:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0317"
},
{
"type": "WEB",
"url": "https://www.secomea.com/support/cybersecurity-advisory"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XG9F-QGVM-J933
Vulnerability from github – Published: 2025-11-30 06:30 – Updated: 2025-11-30 06:30In Oxide control plane 15 through 17 before 17.1, API tokens can be renewed past their expiration date.
{
"affected": [],
"aliases": [
"CVE-2025-66432"
],
"database_specific": {
"cwe_ids": [
"CWE-420"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-30T05:16:08Z",
"severity": "MODERATE"
},
"details": "In Oxide control plane 15 through 17 before 17.1, API tokens can be renewed past their expiration date.",
"id": "GHSA-xg9f-qgvm-j933",
"modified": "2025-11-30T06:30:13Z",
"published": "2025-11-30T06:30:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66432"
},
{
"type": "WEB",
"url": "https://docs.oxide.computer/security/advisories/20251117-1"
},
{
"type": "WEB",
"url": "https://github.com/oxidecomputer/omicron/compare/01bb875...ec069f0"
},
{
"type": "WEB",
"url": "https://oxide.computer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XJWM-4PFW-49G2
Vulnerability from github – Published: 2025-08-03 03:30 – Updated: 2025-08-03 03:30In iperf before 3.19.1, net.c has a buffer overflow when --skip-rx-copy is used (for MSG_TRUNC in recv).
{
"affected": [],
"aliases": [
"CVE-2025-54351"
],
"database_specific": {
"cwe_ids": [
"CWE-420"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-03T02:15:37Z",
"severity": "HIGH"
},
"details": "In iperf before 3.19.1, net.c has a buffer overflow when --skip-rx-copy is used (for MSG_TRUNC in recv).",
"id": "GHSA-xjwm-4pfw-49g2",
"modified": "2025-08-03T03:30:30Z",
"published": "2025-08-03T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54351"
},
{
"type": "WEB",
"url": "https://github.com/esnet/iperf/commit/969b7f70c447513e92c9798f22e82b40ebc53bf0"
},
{
"type": "WEB",
"url": "https://github.com/esnet/iperf/releases/tag/3.19.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.
No CAPEC attack patterns related to this CWE.