CWE-940: Improper Verification of Source of a Communication Channel
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.
扩展描述
When an attacker can successfully establish a communication channel from an untrusted origin, the attacker may be able to gain privileges and access unexpected functionality.
常见后果
影响范围: Access Control Other
技术影响: Gain Privileges or Assume Identity Varies by Context
说明: An attacker can access any functionality that is inadvertently accessible to the source.
潜在缓解措施
阶段: Architecture and Design
观察示例
参考: CVE-2000-1218
DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
参考: CVE-2005-0877
DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
参考: CVE-2001-1452
DNS server caches glue records received from non-delegated name servers
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
技术
关键信息
CWE ID: CWE-940
抽象级别: Base
结构: Simple
状态: Incomplete