CWE-941 Detalhe

CWE-941

Incorrectly Specified Destination in a Communication Channel
Incomplete
2014-02-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificações para um CWE
Fique informado sobre quaisquer alterações para um CWE específico.
Gerenciar notificações

Nome: Incorrectly Specified Destination in a Communication Channel

The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.

Informações Gerais

Modos de Introdução

Architecture and Design
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Plataformas Aplicáveis

Linguagem

Class: Not Language-Specific (Undetermined)

Tecnologias

Class: Mobile (Undetermined)

Consequências Comuns

Escopo Impacto Probabilidade
Access Control
Other		Gain Privileges or Assume Identity, Varies by Context, Bypass Protection Mechanism

Note: An attacker can access any functionality that is inadvertently accessible to the source.

Exemplos Observados

Referências Descrição

CVE-2013-5211

composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.

CVE-1999-0513

Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses.

CVE-1999-1379

DNS query with spoofed source address causes more traffic to be returned to spoofed address than was sent by the attacker.

Notas de Mapeamento de Vulnerabilidade

Justificativa : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentário : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Referências

REF-941

UDP-based Amplification Attacks
US-CERT.
https://www.cisa.gov/ncas/alerts/TA14-017A

REF-942

Android Bad Practices: Sticky Broadcast
Fortify.
https://www.hpe.com/us/en/solutions/infrastructure-security.html?jumpid=va_wnmstr1ug6_aid-510326901

Submissão

Nome Organização Data Data de lançamento Version
CWE Content Team MITRE 2014-02-13 +00:00 2014-02-19 +00:00 2.6

Modificações

Nome Organização Data Comentário
CWE Content Team MITRE 2017-11-08 +00:00 updated Modes_of_Introduction, References, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Applicable_Platforms, Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Maintenance_Notes
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated References
CWE Content Team MITRE 2025-12-11 +00:00 updated Common_Consequences, Relationships, Weakness_Ordinalities
As informações apresentadas no CVE Find originam-se de várias fontes de referência cuidadosamente selecionadas. Os dados CVE são fornecidos pela MITRE Corporation e pelo National Vulnerability Database (NVD). O catálogo de Vulnerabilidades Conhecidas Exploradas (KEV) é proveniente da Cybersecurity and Infrastructure Security Agency (CISA), enquanto as pontuações EPSS vêm do FIRST.org. Além disso, os dados sobre fraquezas de software (CWE) e padrões de ataque comuns (CAPEC) são mantidos pela MITRE Corporation, e as informações sobre configurações de hardware e software (CPE) são fornecidas pelo NVD.