CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-R228-W758-3QFV
Vulnerability from github – Published: 2023-02-10 21:30 – Updated: 2023-02-27 15:30Dell BSAFE SSL-J when used in debug mode can reveal unnecessary information. An attacker could potentially exploit this vulnerability and have access to private information.
{
"affected": [],
"aliases": [
"CVE-2022-34364"
],
"database_specific": {
"cwe_ids": [
"CWE-1295",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-10T20:15:00Z",
"severity": "MODERATE"
},
"details": "Dell BSAFE SSL-J when used in debug mode can reveal unnecessary information. An attacker could potentially exploit this vulnerability and have access to private information.",
"id": "GHSA-r228-w758-3qfv",
"modified": "2023-02-27T15:30:22Z",
"published": "2023-02-10T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34364"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000203275/dsa-2022-188-dell-bsafe-ssl-j-6-5-and-7-1-security-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R234-GVXH-M2FV
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-08-31 00:00A Cross-Origin Resource Sharing (CORS) vulnerability found in UniFi Protect application Version 1.19.2 and earlier allows a malicious actor who has convinced a privileged user to access a URL with malicious code to take over said user’s account.This vulnerability is fixed in UniFi Protect application Version 1.20.0 and later.
{
"affected": [],
"aliases": [
"CVE-2021-22957"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-24T19:15:00Z",
"severity": "HIGH"
},
"details": "A Cross-Origin Resource Sharing (CORS) vulnerability found in UniFi Protect application Version 1.19.2 and earlier allows a malicious actor who has convinced a privileged user to access a URL with malicious code to take over said user\u2019s account.This vulnerability is fixed in UniFi Protect application Version 1.20.0 and later.",
"id": "GHSA-r234-gvxh-m2fv",
"modified": "2022-08-31T00:00:18Z",
"published": "2022-05-24T22:28:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22957"
},
{
"type": "WEB",
"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-021-021/62bd8841-6603-4fee-9dba-73037148f173"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R24H-634P-M72X
Vulnerability from github – Published: 2020-06-10 20:02 – Updated: 2021-08-30 13:35In schema-inspector before 1.6.9, a maliciously crafted JavaScript object can bypass the sanitize() and the validate() function used within schema-inspector.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "schema-inspector"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10781"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-10T18:15:24Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "In schema-inspector before 1.6.9, a maliciously crafted JavaScript object can bypass the `sanitize()` and the `validate()` function used within schema-inspector.",
"id": "GHSA-r24h-634p-m72x",
"modified": "2021-08-30T13:35:23Z",
"published": "2020-06-10T20:02:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10781"
},
{
"type": "WEB",
"url": "https://github.com/Atinux/schema-inspector/commit/345a7b2eed11bb6128421150d65f4f83fdbb737d"
},
{
"type": "PACKAGE",
"url": "https://github.com/Atinux/schema-inspector"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-SCHEMAINSPECTOR-536970"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Validation Bypass in schema-inspector"
}
GHSA-R2QW-HW78-874V
Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2022-10-25 19:00A CWE-200: Information Exposure vulnerability exists that could cause sensitive information of files located in the web root directory to leak when an attacker sends a HTTP request to the web server of the device. Affected Product: Modicon M340 CPUs: BMXP34 (Versions prior to V3.40), Modicon M340 X80 Ethernet Communication Modules: BMXNOE0100 (H), BMXNOE0110 (H), BMXNOC0401, BMXNOR0200H RTU (All Versions), Modicon Premium Processors with integrated Ethernet (Copro): TSXP574634, TSXP575634, TSXP576634 (All Versions), Modicon Quantum Processors with Integrated Ethernet (Copro): 140CPU65xxxxx (All Versions), Modicon Quantum Communication Modules: 140NOE771x1, 140NOC78x00, 140NOC77101 (All Versions), Modicon Premium Communication Modules: TSXETY4103, TSXETY5103 (All Versions)
{
"affected": [],
"aliases": [
"CVE-2021-22785"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-11T18:15:00Z",
"severity": "HIGH"
},
"details": "A CWE-200: Information Exposure vulnerability exists that could cause sensitive information of files located in the web root directory to leak when an attacker sends a HTTP request to the web server of the device. Affected Product: Modicon M340 CPUs: BMXP34 (Versions prior to V3.40), Modicon M340 X80 Ethernet Communication Modules: BMXNOE0100 (H), BMXNOE0110 (H), BMXNOC0401, BMXNOR0200H RTU (All Versions), Modicon Premium Processors with integrated Ethernet (Copro): TSXP574634, TSXP575634, TSXP576634 (All Versions), Modicon Quantum Processors with Integrated Ethernet (Copro): 140CPU65xxxxx (All Versions), Modicon Quantum Communication Modules: 140NOE771x1, 140NOC78x00, 140NOC77101 (All Versions), Modicon Premium Communication Modules: TSXETY4103, TSXETY5103 (All Versions)",
"id": "GHSA-r2qw-hw78-874v",
"modified": "2022-10-25T19:00:36Z",
"published": "2022-02-12T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22785"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-257-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R38X-QWC8-XV5F
Vulnerability from github – Published: 2022-03-17 00:00 – Updated: 2022-03-23 00:00The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-43955"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-16T01:15:00Z",
"severity": "MODERATE"
},
"details": "The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability.",
"id": "GHSA-r38x-qwc8-xv5f",
"modified": "2022-03-23T00:00:35Z",
"published": "2022-03-17T00:00:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43955"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/CRUC-8533"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/FE-7397"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R3G9-4C8X-FWV7
Vulnerability from github – Published: 2022-05-11 00:00 – Updated: 2025-01-02 21:31Remote Desktop Protocol Client Information Disclosure Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-26940"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-10T21:15:00Z",
"severity": "MODERATE"
},
"details": "Remote Desktop Protocol Client Information Disclosure Vulnerability.",
"id": "GHSA-r3g9-4c8x-fwv7",
"modified": "2025-01-02T21:31:33Z",
"published": "2022-05-11T00:00:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26940"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26940"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26940"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R3P9-XJH5-CP2M
Vulnerability from github – Published: 2022-08-17 00:00 – Updated: 2022-08-18 00:00There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs.
{
"affected": [],
"aliases": [
"CVE-2022-38184"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-16T18:15:00Z",
"severity": "HIGH"
},
"details": "There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs.",
"id": "GHSA-r3p9-xjh5-cp2m",
"modified": "2022-08-18T00:00:21Z",
"published": "2022-08-17T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38184"
},
{
"type": "WEB",
"url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R3Q4-4JHX-X4C9
Vulnerability from github – Published: 2022-03-12 00:00 – Updated: 2022-03-19 00:01Some AMD CPUs may transiently execute beyond unconditional direct branches, which may potentially result in data leakage.
{
"affected": [],
"aliases": [
"CVE-2021-26341"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-11T18:15:00Z",
"severity": "MODERATE"
},
"details": "Some AMD CPUs may transiently execute beyond unconditional direct branches, which may potentially result in data leakage.",
"id": "GHSA-r3q4-4jhx-x4c9",
"modified": "2022-03-19T00:01:23Z",
"published": "2022-03-12T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26341"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1026"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/03/18/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R3R5-JHW6-4634
Vulnerability from github – Published: 2022-04-08 00:00 – Updated: 2022-04-19 18:16SWHKD 1.1.5 unsafely uses the /tmp/swhkd.sock pathname. There can be an information leak or denial of service.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "Simple-Wayland-HotKey-Daemon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-27818"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-08T22:12:19Z",
"nvd_published_at": "2022-04-07T02:15:00Z",
"severity": "CRITICAL"
},
"details": "SWHKD 1.1.5 unsafely uses the /tmp/swhkd.sock pathname. There can be an information leak or denial of service.",
"id": "GHSA-r3r5-jhw6-4634",
"modified": "2022-04-19T18:16:59Z",
"published": "2022-04-08T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27818"
},
{
"type": "WEB",
"url": "https://github.com/waycrate/swhkd/commit/f70b99dd575fab79d8a942111a6980431f006818"
},
{
"type": "PACKAGE",
"url": "https://github.com/waycrate/swhkd"
},
{
"type": "WEB",
"url": "https://github.com/waycrate/swhkd/releases/tag/1.2.0"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/04/14/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Insecure temporary file usage in SWHKD"
}
GHSA-R43F-XQ38-4W4R
Vulnerability from github – Published: 2023-02-27 21:30 – Updated: 2023-03-08 15:30This issue was addressed by enabling hardened runtime. This issue is fixed in macOS Monterey 12.6, macOS Big Sur 11.7. A user may be able to view sensitive user information.
{
"affected": [],
"aliases": [
"CVE-2022-32896"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-27T20:15:00Z",
"severity": "MODERATE"
},
"details": "This issue was addressed by enabling hardened runtime. This issue is fixed in macOS Monterey 12.6, macOS Big Sur 11.7. A user may be able to view sensitive user information.",
"id": "GHSA-r43f-xq38-4w4r",
"modified": "2023-03-08T15:30:24Z",
"published": "2023-02-27T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32896"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213443"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213444"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.