CVEbaza.plSłownik CWECWE-1327
Common Weakness Enumeration

CWE-1327

Binding to an Unrestricted IP Address

Kategoria: BaseCVE: 18
Opis

Produkt przypisuje adres 0.0.0.0 dla serwera bazy danych, usługi/instancji chmurowej lub dowolnego zasobu obliczeniowego komunikującego się zdalnie. Powoduje to potencjalną podatność bezpieczeństwa, umożliwiając dostęp z dowolnego adresu IP.

Description (EN)

The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.

Podatności CVE z CWE-1327 (18)
10.0
CVSS
CRITICAL
CVE-2023-1968

Instruments with Illumina Universal Copy Service v2.x are vulnerable due to binding to an unrestricted IP address. An unauthenticated malicious actor could use UCS to listen on all IP addresses, including those capable of accepting remote communications.

pub. 2023-04-28
9.8
CVSS
CRITICAL
CVE-2026-24015

W Apache IoTDB wykryto krytyczną podatność mogącą wpłynąć na poufność, integralność i dostępność systemu. Ze względu na wysoki wynik CVSS 9.8 oraz brak wymagań dotyczących uwierzytelnienia, podatność stanowi poważne zagrożenie dla środowisk produkcyjnych.

pub. 2026-03-09
9.4
CVSS
CRITICAL
CVE-2025-3621

Produkt ActADUR lokalnego serwera firmy ProTNS zawiera zestaw krytycznych podatności umożliwiających zdalne wykonanie kodu (Remote Code Inclusion) na systemie hosta. Podatności obejmują m.in. command injection, użycie zakodowanych na stałe danych uwierzytelniających oraz nieprawidłową autentykację, co czyni je szczególnie niebezpiecznymi.

pub. 2025-07-15
9.3
CVSS
CRITICAL
CVE-2025-61934

W oprogramowaniu AutomationDirect Productivity Suite w wersji v4.4.1.19 wykryto podatność polegającą na powiązaniu usługi z nieograniczonym adresem IP, co umożliwia nieuwierzytelnionemu atakującemu zdalny dostęp do symulatora PLC (ProductivityService). Podatność jest krytyczna, ponieważ nie wymaga żadnego uwierzytelnienia ani interakcji użytkownika, a jej eksploatacja pozwala na odczyt, zapis i usuwanie dowolnych plików na zaatakowanej maszynie.

pub. 2025-10-23
9.2
CVSS
CRITICAL
CVE-2026-0481

Podatność w komponencie AMD Device Metrics Exporter ekosystemu ROCm umożliwia zdalnemu atakującemu nieautoryzowaną modyfikację konfiguracji GPU. Może to doprowadzić do utraty dostępności zarówno samego urządzenia, jak i systemów od niego zależnych.

pub. 2026-05-15
8.8
CVSS
HIGH
CVE-2026-42503

gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0.  As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls.

pub. 2026-05-06
7.5
CVSS
HIGH
CVE-2023-41742

Excessive attack surface due to binding to an unrestricted IP address. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 30430, Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 35979.

pub. 2023-08-31
7.3
CVSS
HIGH
CVE-2025-55322

Binding to an unrestricted ip address in GitHub allows an unauthorized attacker to execute code over a network.

pub. 2025-09-24
6.8
CVSS
MEDIUM
CVE-2025-11538

A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.

pub. 2025-11-13
6.5
CVSS
MEDIUM
CVE-2026-21528

Binding to an unrestricted ip address in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.

pub. 2026-02-10
6.3
CVSS
MEDIUM
CVE-2026-28395

OpenClaw version 2026.1.14-1 prior to 2026.2.12 contains an improper network binding vulnerability in the Chrome extension (must be installed and enabled) relay server that treats wildcard hosts as loopback addresses, allowing the relay HTTP/WS server to bind to all interfaces when a wildcard cdpUrl is configured. Remote attackers can access relay HTTP endpoints off-host to leak service presence and port information, or conduct denial-of-service and brute-force attacks against the relay token header.

pub. 2026-03-05
5.9
CVSS
MEDIUM
CVE-2023-5398

Server receiving a malformed message based on a list of IPs resulting in heap corruption causing a denial of service. See Honeywell Security Notification for recommendations on upgrading and versioning.

pub. 2024-04-17
5.3
CVSS
MEDIUM
CVE-2024-47176

CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.

pub. 2024-09-26
5.3
CVSS
MEDIUM
CVE-2024-36105

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Prior to versions 1.6.15, 1.7.15, and 1.8.1, Binding to `INADDR_ANY (0.0.0.0)` or `IN6ADDR_ANY (::)` exposes an application on all network interfaces, increasing the risk of unauthorized access. As stated in the Python docs, a special form for address is accepted instead of a host address: `''` represents `INADDR_ANY`, equivalent to `"0.0.0.0"`. On systems with IPv6, '' represents `IN6ADDR_ANY`, which is equivalent to `"::"`. A user who serves docs on an unsecured public network, may unknowingly be hosting an unsecured (http) web site for any remote user/system to access on the same network. The issue has has been mitigated in dbt-core v1.6.15, dbt-core v1.7.15, and dbt-core v1.8.1 by binding to localhost explicitly by default in `dbt docs serve`.

pub. 2024-05-27
4.3
CVSS
MEDIUM
CVE-2024-49382

Excessive attack surface in archive-server service due to binding to an unrestricted IP address. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 38690.

pub. 2024-10-15
4.3
CVSS
MEDIUM
CVE-2024-49383

Excessive attack surface in acep-importer service due to binding to an unrestricted IP address. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 38690.

pub. 2024-10-15
4.3
CVSS
MEDIUM
CVE-2024-49384

Excessive attack surface in acep-collector service due to binding to an unrestricted IP address. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 38690.

pub. 2024-10-15
3.0
CVSS
LOW
CVE-2022-29820

In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible

pub. 2022-04-28
Informacje
ID: CWE-1327
Typ: Base
Podatności: 18
MITRE CWE ↗
← Słownik CWE