CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1252 vulnerabilities reference this CWE, most recent first.
GHSA-6WJR-CR9M-279Q
Vulnerability from github – Published: 2022-05-24 19:21 – Updated: 2022-05-24 19:21Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1.
{
"affected": [],
"aliases": [
"CVE-2021-3554"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-24T16:15:00Z",
"severity": "CRITICAL"
},
"details": "Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1.",
"id": "GHSA-6wjr-cr9m-279q",
"modified": "2022-05-24T19:21:17Z",
"published": "2022-05-24T19:21:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3554"
},
{
"type": "WEB",
"url": "https://www.bitdefender.com/support/security-advisories/improper-access-control-vulnerability-patchesupdate-api-va-9825"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6WM6-MV83-V9QJ
Vulnerability from github – Published: 2022-07-05 00:00 – Updated: 2022-07-13 00:01Browse restriction bypass vulnerability in Bulletin of Cybozu Garoon allows a remote authenticated attacker to obtain the data of Bulletin.
{
"affected": [],
"aliases": [
"CVE-2022-29471"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-04T07:15:00Z",
"severity": "MODERATE"
},
"details": "Browse restriction bypass vulnerability in Bulletin of Cybozu Garoon allows a remote authenticated attacker to obtain the data of Bulletin.",
"id": "GHSA-6wm6-mv83-v9qj",
"modified": "2022-07-13T00:01:53Z",
"published": "2022-07-05T00:00:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29471"
},
{
"type": "WEB",
"url": "https://cs.cybozu.co.jp/2022/007429.html"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN73897863/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6WRH-279J-6HVW
Vulnerability from github – Published: 2022-03-10 17:55 – Updated: 2022-03-18 20:15Impact
HTTP caching is marking private HTTP headers as public
Patches
Fixed in recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview.
https://www.shopware.com/en/download/#shopware-6
Workarounds
For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.4.8.1"
},
"package": {
"ecosystem": "Packagist",
"name": "shopware/platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.4.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.4.8.1"
},
"package": {
"ecosystem": "Packagist",
"name": "shopware/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.4.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.4.8.1"
},
"package": {
"ecosystem": "Packagist",
"name": "shopware/storefront"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.4.8.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24747"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-10T17:55:21Z",
"nvd_published_at": "2022-03-09T23:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nHTTP caching is marking private HTTP headers as public\n\n## Patches\nFixed in recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n## Workarounds\nFor older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.",
"id": "GHSA-6wrh-279j-6hvw",
"modified": "2022-03-18T20:15:05Z",
"published": "2022-03-10T17:55:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shopware/platform/security/advisories/GHSA-6wrh-279j-6hvw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24747"
},
{
"type": "WEB",
"url": "https://github.com/shopware/platform/commit/d51863148f32306aafdbc7f9f48887c69fce206f"
},
{
"type": "WEB",
"url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2022"
},
{
"type": "PACKAGE",
"url": "https://github.com/shopware/platform"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "HTTP caching is marking private HTTP headers as public in Shopware"
}
GHSA-6X2V-HVX7-M5X7
Vulnerability from github – Published: 2022-07-24 00:00 – Updated: 2022-07-28 00:00Inappropriate implementation in Extensions in Google Chrome prior to 100.0.4896.60 allowed an attacker who convinced a user to install a malicious extension to leak potentially sensitive information via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-1137"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-23T00:15:00Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in Extensions in Google Chrome prior to 100.0.4896.60 allowed an attacker who convinced a user to install a malicious extension to leak potentially sensitive information via a crafted HTML page.",
"id": "GHSA-6x2v-hvx7-m5x7",
"modified": "2022-07-28T00:00:48Z",
"published": "2022-07-24T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1137"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1289846"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6XXC-4JC4-7JV3
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2025-05-14 19:17Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.portal.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.2.0"
},
{
"fixed": "7.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-33330"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-09T13:17:26Z",
"nvd_published_at": "2021-08-03T19:15:00Z",
"severity": "MODERATE"
},
"details": "Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user\u2019s email address and current CSRF token.",
"id": "GHSA-6xxc-4jc4-7jv3",
"modified": "2025-05-14T19:17:39Z",
"published": "2022-05-24T22:28:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33330"
},
{
"type": "WEB",
"url": "https://issues.liferay.com/browse/LPE-17127"
},
{
"type": "WEB",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747720"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Exposure of Resource to Wrong Sphere in Liferay Portal"
}
GHSA-72C2-P2MR-MQR3
Vulnerability from github – Published: 2022-06-17 00:01 – Updated: 2022-06-29 00:00An issue was discovered in function sync_tree in hetero_decision_tree_guest.py in WeBank FATE (Federated AI Technology Enabler) 0.1 through 1.4.2 allows attackers to read sensitive information during the training process of machine learning joint modeling.
{
"affected": [],
"aliases": [
"CVE-2020-25459"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-16T21:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in function sync_tree in hetero_decision_tree_guest.py in WeBank FATE (Federated AI Technology Enabler) 0.1 through 1.4.2 allows attackers to read sensitive information during the training process of machine learning joint modeling.",
"id": "GHSA-72c2-p2mr-mqr3",
"modified": "2022-06-29T00:00:27Z",
"published": "2022-06-17T00:01:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25459"
},
{
"type": "WEB",
"url": "https://github.com/FederatedAI/FATE/commit/6feccf6d752184a6f9365d56a76fe627983e7139"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-72V5-4C4W-2CHJ
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:01A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, adjacent attacker to bypass authentication and access critical internal services. The vulnerability is due to insufficient access restriction to ports necessary for system operation. An attacker could exploit this vulnerability by connecting an unauthorized network device to the subnet designated for cluster services. A successful exploit could allow an attacker to reach internal services that are not hardened for external access.
{
"affected": [],
"aliases": [
"CVE-2019-1848"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-20T03:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, adjacent attacker to bypass authentication and access critical internal services. The vulnerability is due to insufficient access restriction to ports necessary for system operation. An attacker could exploit this vulnerability by connecting an unauthorized network device to the subnet designated for cluster services. A successful exploit could allow an attacker to reach internal services that are not hardened for external access.",
"id": "GHSA-72v5-4c4w-2chj",
"modified": "2024-04-04T01:01:52Z",
"published": "2022-05-24T16:48:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1848"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-dnac-bypass"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108837"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-73R4-PGGG-5F69
Vulnerability from github – Published: 2022-04-30 18:16 – Updated: 2025-04-03 03:43Acme Thttpd Secure Webserver before 2.22, with the chroot option enabled, allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.
{
"affected": [],
"aliases": [
"CVE-2001-0892"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2001-11-13T05:00:00Z",
"severity": "MODERATE"
},
"details": "Acme Thttpd Secure Webserver before 2.22, with the chroot option enabled, allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.",
"id": "GHSA-73r4-pggg-5f69",
"modified": "2025-04-03T03:43:51Z",
"published": "2022-04-30T18:16:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2001-0892"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=100568999726036\u0026w=2"
},
{
"type": "WEB",
"url": "http://www.acme.com/software/thttpd"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-74V5-X8GW-Q8F8
Vulnerability from github – Published: 2022-09-25 00:00 – Updated: 2022-09-28 00:00An issue in the handling of environment variables was addressed with improved validation. This issue is fixed in macOS Monterey 12.4. A user may be able to view sensitive user information.
{
"affected": [],
"aliases": [
"CVE-2022-26707"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-23T19:15:00Z",
"severity": "MODERATE"
},
"details": "An issue in the handling of environment variables was addressed with improved validation. This issue is fixed in macOS Monterey 12.4. A user may be able to view sensitive user information.",
"id": "GHSA-74v5-x8gw-q8f8",
"modified": "2022-09-28T00:00:25Z",
"published": "2022-09-25T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26707"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213257"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7523-XCC2-M3RM
Vulnerability from github – Published: 2023-11-14 18:30 – Updated: 2023-11-14 18:30Open Management Infrastructure Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-36043"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T18:15:34Z",
"severity": "MODERATE"
},
"details": "Open Management Infrastructure Information Disclosure Vulnerability",
"id": "GHSA-7523-xcc2-m3rm",
"modified": "2023-11-14T18:30:28Z",
"published": "2023-11-14T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36043"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36043"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.