Confused Deputy
CWE-441
Overtime trend (NVD)
CVSS severity (NVD, All Time)
Per technology (GHSA, All time)
- 50%-Maven
- 50%-Go
Short description
Extended description
If an attacker cannot directly contact a target, but the product has access to the target, then the attacker can send a request to the product and have it be forwarded to the target. The request would appear to be coming from the product's system, not the attacker's system. As a result, the attacker can bypass access controls (such as firewalls) or hide the source of malicious requests, since the requests would not be coming directly from the attacker.
Since proxy functionality and message-forwarding often serve a legitimate purpose, this issue only becomes a vulnerability when:
- The product runs with different privileges or on a different system, or otherwise has different levels of access than the upstream component;
- The attacker is prevented from making the request directly to the target; and
- The attacker can create a request that the proxy does not explicitly intend to be forwarded on the behalf of the requester. Such a request might point to an unexpected hostname, port number, hardware IP, or service. Or, the request might be sent to an allowed service, but the request could contain disallowed directives, commands, or resources.
Best practices to prevent this CWE
Phase: Architecture and Design
Enforce the use of strong mutual authentication mechanism between the two parties.
Phase: Architecture and Design
Whenever a product is an intermediary or proxy for transactions between two other components, the proxy core should not drop the identity of the initiator of the transaction. The immutability of the identity of the initiator must be maintained and should be forwarded all the way to the target.