CWE-923
Allowed-with-ReviewImproper Restriction of Communication Channel to Intended Endpoints
Abstraction: Class · Status: Incomplete
The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
112 vulnerabilities reference this CWE, most recent first.
GHSA-X279-FQQW-2JVV
Vulnerability from github – Published: 2025-01-28 03:31 – Updated: 2025-01-28 03:31IBM Fusion and IBM Fusion HCI 2.3.0 through 2.8.2 is vulnerable to insecure network connection by allowing an attacker who gains access to a Fusion container to establish an external network connection.
{
"affected": [],
"aliases": [
"CVE-2024-22315"
],
"database_specific": {
"cwe_ids": [
"CWE-923"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-28T02:15:28Z",
"severity": "MODERATE"
},
"details": "IBM Fusion and IBM Fusion HCI 2.3.0 through 2.8.2 is vulnerable to insecure network connection by allowing an attacker who gains access to a Fusion container to establish an external network connection.",
"id": "GHSA-x279-fqqw-2jvv",
"modified": "2025-01-28T03:31:14Z",
"published": "2025-01-28T03:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22315"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7179168"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XC4G-8C26-VCMF
Vulnerability from github – Published: 2026-07-10 00:31 – Updated: 2026-07-10 00:31An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a limited information disclosure and availability impact to the device.
Due to a wrong initialization, a process which should only be able to communicate internally within the device can be reached over the network via an open port. This leads to a device being inadvertently exposed and increased CPU cycles spent processing ingress packets.
This issue affects Junos OS Evolved:
- all versions before 23.2R2-S7-EVO,
- 23.4 versions before 23.4R2-S8-EVO,
- 24.2 versions before 24.2R2-S5-EVO,
- 24.4 versions before 24.4R2-S4-EVO,
- 25.2 versions before 25.2R2-S1-EVO,
- 25.4 versions before 25.4R1-S2-EVO.
{
"affected": [],
"aliases": [
"CVE-2026-33803"
],
"database_specific": {
"cwe_ids": [
"CWE-923"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T22:17:03Z",
"severity": "MODERATE"
},
"details": "An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a limited information disclosure and availability impact to the device.\n\n\nDue to a wrong initialization, a process which should only be able to communicate internally within the device can be reached over the network via an open port. This leads to a device being inadvertently exposed and increased CPU cycles spent processing ingress packets.\n\nThis issue affects Junos OS Evolved:\n\n\n * all versions before 23.2R2-S7-EVO,\n * 23.4 versions before 23.4R2-S8-EVO,\n * 24.2 versions before 24.2R2-S5-EVO,\n * 24.4 versions before 24.4R2-S4-EVO,\n * 25.2 versions before 25.2R2-S1-EVO,\n * 25.4 versions before 25.4R1-S2-EVO.",
"id": "GHSA-xc4g-8c26-vcmf",
"modified": "2026-07-10T00:31:25Z",
"published": "2026-07-10T00:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33803"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA110078"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
CAPEC-161: Infrastructure Manipulation
An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects. Most often, this involves manipulation of the routing of network messages so, instead of arriving at their proper destination, they are directed towards an entity of the attackers' choosing, usually a server controlled by the attacker. The victim is often unaware that their messages are not being processed correctly. For example, a targeted client may believe they are connecting to their own bank but, in fact, be connecting to a Pharming site controlled by the attacker which then collects the user's login information in order to hijack the actual bank account.
CAPEC-481: Contradictory Destinations in Traffic Routing Schemes
Adversaries can provide contradictory destinations when sending messages. Traffic is routed in networks using the domain names in various headers available at different levels of the OSI model. In a Content Delivery Network (CDN) multiple domains might be available, and if there are contradictory domain names provided it is possible to route traffic to an inappropriate destination. The technique, called Domain Fronting, involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. An alternative technique, called Domainless Fronting, is similar, but the SNI field is left blank.
CAPEC-501: Android Activity Hijack
An adversary intercepts an implicit intent sent to launch a Android-based trusted activity and instead launches a counterfeit activity in its place. The malicious activity is then used to mimic the trusted activity's user interface and prompt the target to enter sensitive data as if they were interacting with the trusted activity.
CAPEC-697: DHCP Spoofing
An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.