CWE-420

BaseDraft

View on MITRE

Unprotected Alternate Channel

The product protects a primary channel, but it does not use the same level of protection for an alternate channel.

27 linked vulnerabilities

1 related weaknesses

Architecture and Design

Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.

Access ControlGain Privileges or Assume IdentityBypass Protection Mechanism

Modes of Introduction

Architecture and DesignImplementationOperation

Related Weaknesses

CWE-923ChildOf

Example CVEs (7)

CVE-2020-8004

When the internal flash is protected by blocking access on the Data Bus (DBUS), it can still be indirectly accessed through the Instruction Bus (IBUS).

CVE-2002-0567

DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote.

CVE-2002-1578

Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database.

CVE-2003-1035

User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.

CVE-2002-1863

FTP service can not be disabled even when other access controls would require it.

External Links

MITRE CWE Database