CWE - 300 : Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
CWE Definition
|
http://cwe.mitre.org/data/definitions/300.html
|
Number of vulnerabilities:
|
3
|
Description
|
The product does not adequately verify the identity of actors
at both ends of a communication channel, or does not adequately ensure the
integrity of the channel, in a way that allows the channel to be accessed or
influenced by an actor that is not an endpoint.In order to establish secure communication between two parties, it is
often important to adequately verify the identity of entities at each end of
the communication channel. Failure to do so adequately or consistently may
result in insufficient or incorrect identification of either communicating
entity. This can have negative consequences such as misplaced trust in the
entity at the other end of the channel. An attacker can leverage this by
interposing between the communicating entities and masquerading as the
original entity. In the absence of sufficient verification of identity, such
an attacker can eavesdrop and potentially modify the communication between
the original entities. |
Background Details
|
|
Other Notes
|
|
|
|
Warning! CWE definitions are provided as a quick reference. They are
not complete and may not be up to date!
You must visit
http://cwe.mitre.org/ for a complete list of CWE entries
and for more details.