Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-420 (未保护的候选通道) — Vulnerability Class 33

33 vulnerabilities classified as CWE-420 (未保护的候选通道). AI Chinese analysis included.

CWE-420 represents a security weakness where an application implements robust protective measures for its primary communication channel but neglects to apply equivalent safeguards to an alternate data path. This disparity often arises when developers focus exclusively on the main interface, such as a web portal, while overlooking secondary mechanisms like background APIs, logging services, or administrative endpoints. Attackers typically exploit this oversight by bypassing the hardened primary channel to access the unprotected alternate one, thereby gaining unauthorized access to sensitive data or executing malicious commands without triggering standard security controls. To prevent this vulnerability, developers must conduct comprehensive threat modeling that identifies all potential communication paths within the system architecture. Security policies should then be uniformly applied across every channel, ensuring that encryption, authentication, and authorization mechanisms are consistently enforced regardless of the entry point used.

MITRE CWE Description
The product protects a primary channel, but it does not use the same level of protection for an alternate channel.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity, Bypass Protection Mechanism
Mitigations (1)
Architecture and DesignIdentify all alternate channels and use the same protection mechanisms that are used for the primary channels.
Examples (1)
Register SECURE_ME is located at address 0xF00. A mirror of this register called COPY_OF_SECURE_ME is at location 0x800F00. The register SECURE_ME is protected from malicious agents and only allows access to select, while COPY_OF_SECURE_ME is not. Access control is implemented using an allowlist (as indicated by a…
module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n); output [31:0] data_out; input [31:0] data_in, incoming_id, address; input clk, rst_n; wire write_auth, addr_auth; reg [31:0] data_out, acl_oh_allowlist, q; assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; always @* acl_oh_allowlist <= 32'h8312; assign addr_auth = (address == 32'hF00) ? 1: 0; always @ (posedge clk or negedge rst_n) if (!rst_n) begin q <= 32'h0; data_out <= 32'h0; end else begin q <= (addr_auth & write_auth) ? data_in: q; data_out <= q; end end endmodule
Informative · Verilog
assign addr_auth = (address == 32'hF00) ? 1: 0;
Bad · Verilog
CVE IDTitleCVSSSeverityPublished
CVE-2023-28842 moby/moby's dockerd daemon encrypted overlay network with a single endpoint is unauthenticated — moby 6.8 Medium2023-04-04
CVE-2022-25786 GateManager debug interface is included in production builds — GateManager 4.9 Medium2022-05-04
CVE-2020-8558 Kubernetes node setting allows for neighboring hosts to bypass localhost boundary — Kubernetes 5.4 Medium2020-07-27

Vulnerabilities classified as CWE-420 (未保护的候选通道) represent 33 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.