CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1248 vulnerabilities reference this CWE, most recent first.
GHSA-WF7F-Q2XR-HRMH
Vulnerability from github – Published: 2026-04-09 18:31 – Updated: 2026-05-01 18:31Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.
{
"affected": [],
"aliases": [
"CVE-2026-39911"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-09T18:17:01Z",
"severity": "HIGH"
},
"details": "Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.",
"id": "GHSA-wf7f-q2xr-hrmh",
"modified": "2026-05-01T18:31:19Z",
"published": "2026-04-09T18:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39911"
},
{
"type": "WEB",
"url": "https://github.com/hashgraph/guardian/pull/5929"
},
{
"type": "WEB",
"url": "https://github.com/hashgraph/guardian/commit/45fbe2f7e0e8feee30105d42d66ed63fb6177ebe"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/hashgraph-guardian-unsandboxed-javascript-execution-rce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WFH8-85QF-JRR2
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-07-13 00:01This release addresses a potential information leakage vulnerability in NetIQ Access Manager versions prior to 5.0.1
{
"affected": [],
"aliases": [
"CVE-2021-22525"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-02T17:15:00Z",
"severity": "MODERATE"
},
"details": "This release addresses a potential information leakage vulnerability in NetIQ Access Manager versions prior to 5.0.1",
"id": "GHSA-wfh8-85qf-jrr2",
"modified": "2022-07-13T00:01:10Z",
"published": "2022-05-24T19:12:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22525"
},
{
"type": "WEB",
"url": "https://support.microfocus.com/kb/doc.php?id=7025254"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WGCC-3VW8-RP8C
Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-17 00:01There is an unauthorized access vulnerability in system components. Successful exploitation of this vulnerability will affect confidentiality.
{
"affected": [],
"aliases": [
"CVE-2021-40051"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-10T17:43:00Z",
"severity": "HIGH"
},
"details": "There is an unauthorized access vulnerability in system components. Successful exploitation of this vulnerability will affect confidentiality.",
"id": "GHSA-wgcc-3vw8-rp8c",
"modified": "2022-03-17T00:01:55Z",
"published": "2022-03-11T00:02:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40051"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2022/3"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/cn/docs/security/update/security-bulletins-phones-202203-0000001257385193"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WHPG-CVGX-J44F
Vulnerability from github – Published: 2022-08-12 00:01 – Updated: 2022-08-14 00:00In Settings, there is a possible way to determine whether an app is installed without query permissions, due to side channel information disclosure. This could lead to local information disclosure of an installed package, without proper query permissions, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-189122911
{
"affected": [],
"aliases": [
"CVE-2021-0734"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "In Settings, there is a possible way to determine whether an app is installed without query permissions, due to side channel information disclosure. This could lead to local information disclosure of an installed package, without proper query permissions, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-189122911",
"id": "GHSA-whpg-cvgx-j44f",
"modified": "2022-08-14T00:00:22Z",
"published": "2022-08-12T00:01:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0734"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WHX7-8J7G-CCFQ
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of WRQ requests. When parsing the Filename field, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code under the context of Administrator. Was ZDI-CAN-5137.
{
"affected": [],
"aliases": [
"CVE-2017-16597"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-23T01:29:00Z",
"severity": "CRITICAL"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of WRQ requests. When parsing the Filename field, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code under the context of Administrator. Was ZDI-CAN-5137.",
"id": "GHSA-whx7-8j7g-ccfq",
"modified": "2022-05-13T01:37:23Z",
"published": "2022-05-13T01:37:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16597"
},
{
"type": "WEB",
"url": "https://zerodayinitiative.com/advisories/ZDI-17-962"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WJ55-2MRJ-R24Q
Vulnerability from github – Published: 2022-08-13 00:00 – Updated: 2022-08-17 00:00In Content, there is a possible way to learn gmail account name on the device due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-209005023
{
"affected": [],
"aliases": [
"CVE-2022-20270"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-12T15:15:00Z",
"severity": "MODERATE"
},
"details": "In Content, there is a possible way to learn gmail account name on the device due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-209005023",
"id": "GHSA-wj55-2mrj-r24q",
"modified": "2022-08-17T00:00:32Z",
"published": "2022-08-13T00:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20270"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WJ6W-52QH-V4Q5
Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2022-02-24 00:01The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, aka a "pointer leak."
{
"affected": [],
"aliases": [
"CVE-2021-45402"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, aka a \"pointer leak.\"",
"id": "GHSA-wj6w-52qh-v4q5",
"modified": "2022-02-24T00:01:20Z",
"published": "2022-02-12T00:00:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45402"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=3cf2b61eb06765e27fec6799292d9fb46d0b7e60"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=b1a7288dedc6caf9023f2676b4f5ed34cf0d4029"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=e572ff80f05c33cd0cb4860f864f5c9c044280b6"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WJM9-95FJ-M85F
Vulnerability from github – Published: 2022-09-15 00:00 – Updated: 2022-09-18 00:00IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 210163.
{
"affected": [],
"aliases": [
"CVE-2021-38924"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-14T17:15:00Z",
"severity": "HIGH"
},
"details": "IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 210163.",
"id": "GHSA-wjm9-95fj-m85f",
"modified": "2022-09-18T00:00:32Z",
"published": "2022-09-15T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38924"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/210163"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6620059"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WJPF-P2M9-5WMV
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-07-13 00:01In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from.
{
"affected": [],
"aliases": [
"CVE-2021-39898"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-05T00:15:00Z",
"severity": "MODERATE"
},
"details": "In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from.",
"id": "GHSA-wjpf-p2m9-5wmv",
"modified": "2022-07-13T00:01:38Z",
"published": "2022-05-24T19:19:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39898"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/698068"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39898.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/33734"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WM5J-XH87-7H84
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2023-03-31 18:30An information disclosure vulnerability exists within Dut Computer Control Engineering Co.'s PLC MAC1100.
{
"affected": [],
"aliases": [
"CVE-2020-18754"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-13T17:15:00Z",
"severity": "HIGH"
},
"details": "An information disclosure vulnerability exists within Dut Computer Control Engineering Co.\u0027s PLC MAC1100.",
"id": "GHSA-wm5j-xh87-7h84",
"modified": "2023-03-31T18:30:22Z",
"published": "2022-05-24T19:11:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18754"
},
{
"type": "WEB",
"url": "https://github.com/Ni9htMar3/vulnerability/blob/master/PLC/DCCE/DCCE%20MAC1100%20PLC_leak.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.