CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1252 vulnerabilities reference this CWE, most recent first.
GHSA-97QP-7H55-JXGR
Vulnerability from github – Published: 2023-11-20 18:30 – Updated: 2023-11-20 18:30PowerShell Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-36013"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-20T16:15:08Z",
"severity": "MODERATE"
},
"details": "PowerShell Information Disclosure Vulnerability",
"id": "GHSA-97qp-7h55-jxgr",
"modified": "2023-11-20T18:30:46Z",
"published": "2023-11-20T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36013"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36013"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9852-HR94-HF7P
Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2022-04-19 00:01Information exposure vulnerability in ril property setting prior to SMR April-2022 Release 1 allows access to EF_RUIMID value without permission.
{
"affected": [],
"aliases": [
"CVE-2022-27822"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-11T20:15:00Z",
"severity": "MODERATE"
},
"details": "Information exposure vulnerability in ril property setting prior to SMR April-2022 Release 1 allows access to EF_RUIMID value without permission.",
"id": "GHSA-9852-hr94-hf7p",
"modified": "2022-04-19T00:01:12Z",
"published": "2022-04-12T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27822"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-98M4-M2C3-QXGQ
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-12-06 21:56Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use credentials with System scope. Jira Plugin 3.0.11 defines the appropriate folder context for credential lookup. As a side effect, existing per-folder Jira sites may lose access to already configured System-scoped credentials, as if no credential was specified in the first place.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.10"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:jira"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-16541"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-06T21:56:30Z",
"nvd_published_at": "2019-11-21T15:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use credentials with System scope. Jira Plugin 3.0.11 defines the appropriate folder context for credential lookup. As a side effect, existing per-folder Jira sites may lose access to already configured System-scoped credentials, as if no credential was specified in the first place.",
"id": "GHSA-98m4-m2c3-qxgq",
"modified": "2022-12-06T21:56:30Z",
"published": "2022-05-24T17:01:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16541"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jira-plugin/commit/3214a54b6871d82cb34a26949aad93b0fa78d1a8"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/jira-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1106"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/11/21/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins JIRA Plugin allows users to select and use credentials with System scope"
}
GHSA-99P4-7RF3-P26Q
Vulnerability from github – Published: 2023-01-27 15:30 – Updated: 2023-02-07 21:30An information disclosure vulnerability in Totolink A830R V4.1.2cu.5182 allows attackers to obtain the root password via a brute-force attack.
{
"affected": [],
"aliases": [
"CVE-2022-48067"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-27T15:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability in Totolink A830R V4.1.2cu.5182 allows attackers to obtain the root password via a brute-force attack.",
"id": "GHSA-99p4-7rf3-p26q",
"modified": "2023-02-07T21:30:21Z",
"published": "2023-01-27T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48067"
},
{
"type": "WEB",
"url": "https://befitting-vinca-933.notion.site/Totolink-A830R-V4-1-2cu-5182-Sensitive-Information-Disclosure-567f4a17d5cc401b97e5c3e61aae8ca0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9F3W-8VW8-XR57
Vulnerability from github – Published: 2022-01-12 00:00 – Updated: 2024-11-14 21:31Windows GDI Information Disclosure Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-21904"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-11T21:15:00Z",
"severity": "HIGH"
},
"details": "Windows GDI Information Disclosure Vulnerability.",
"id": "GHSA-9f3w-8vw8-xr57",
"modified": "2024-11-14T21:31:50Z",
"published": "2022-01-12T00:00:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21904"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21904"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21904"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9F9M-8VQ9-GWH7
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-07-13 00:01Azure RTOS Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-26444, CVE-2021-42301.
{
"affected": [],
"aliases": [
"CVE-2021-42323"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-10T01:19:00Z",
"severity": "LOW"
},
"details": "Azure RTOS Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-26444, CVE-2021-42301.",
"id": "GHSA-9f9m-8vq9-gwh7",
"modified": "2022-07-13T00:01:42Z",
"published": "2022-05-24T19:20:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42323"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42323"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9FHQ-8W23-F2MG
Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2023-08-08 15:31Microsoft Defender for IoT Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2021-43888"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T15:15:00Z",
"severity": "HIGH"
},
"details": "Microsoft Defender for IoT Information Disclosure Vulnerability",
"id": "GHSA-9fhq-8w23-f2mg",
"modified": "2023-08-08T15:31:24Z",
"published": "2021-12-16T00:01:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43888"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43888"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9G8X-92Q2-P28F
Vulnerability from github – Published: 2026-05-29 18:20 – Updated: 2026-06-12 19:30Summary
NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin.
The following builtins are not blocked by the dangerous builtin denylist:
diagnostics_channel
async_hooks
perf_hooks
These modules are process-wide, not sandbox-local. Sandboxed code can use them to observe host application data across the vm2 boundary.
Note: It is a host data exposure issue. The impact depends on whether the host application allows these builtins and uses HTTP, async request context, diagnostics channels, or performance marks in the same process.
Details
Non-denied builtins are exposed to the sandbox through lib/builtin.js:
builtins.set(key, special ? special : vm => vm.readonly(hostRequire(key)));
diagnostics_channel, async_hooks, and perf_hooks are not denied. These modules expose host process state rather than sandbox-local state.
Confirmed examples:
diagnostics_channellets sandboxed code subscribe to Node.js HTTP diagnostic channels such ashttp.server.request.start. The sandbox receives host HTTP request objects and can read headers such asAuthorizationor session tokens.async_hooks.executionAsyncResource()lets sandboxed code read the current hostAsyncResource. If the host stores request/user data on that resource, the sandbox can read it.perf_hooks.performance.getEntriesByType('mark')lets sandboxed code read host performance timeline entries.
PoC
Run from the vm2 repository root:
node poc/observability-builtins-info-leak.js
observability-builtins-info-leak.js
The PoC uses only the specific builtin being tested in each section.
It confirms:
diagnostics_channel: sandbox reads host HTTP request headers
async_hooks: sandbox reads host AsyncResource data
perf_hooks: sandbox reads host performance mark names
Example impact from the PoC:
authorization: Bearer HOST_HTTP_SECRET_...
x-session-token: HOST_HTTP_SECRET_...
These values are sent to a host HTTP server, but the sandbox reads them through diagnostics_channel.
Impact
An attacker who can run untrusted JavaScript inside NodeVM with affected builtin settings can observe data from the host process.
In a real application, this may expose HTTP request headers, authorization tokens, session tokens, request context values, user identifiers, or other sensitive diagnostics data from the host application or from other users.
Suggested fix
Treat process-wide observability modules as dangerous builtins for untrusted sandboxes.
At minimum, consider blocking:
diagnostics_channel
async_hooks
perf_hooks
These modules are not sandbox-local and can expose host process state across the vm2 boundary.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.11.3"
},
"package": {
"ecosystem": "npm",
"name": "vm2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.11.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47141"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T18:20:45Z",
"nvd_published_at": "2026-06-12T15:16:28Z",
"severity": "MODERATE"
},
"details": "## Summary\n\n`NodeVM` exposes some process-wide observability builtins when they are allowed through `require.builtin`.\n\nThe following builtins are not blocked by the dangerous builtin denylist:\n\n```text\ndiagnostics_channel\nasync_hooks\nperf_hooks\n```\n\nThese modules are process-wide, not sandbox-local. Sandboxed code can use them to observe host application data across the vm2 boundary.\n\n**Note**: It is a host data exposure issue. The impact depends on whether the host application allows these builtins and uses HTTP, async request context, diagnostics channels, or performance marks in the same process.\n\n## Details\n\nNon-denied builtins are exposed to the sandbox through `lib/builtin.js`:\n\n```js\nbuiltins.set(key, special ? special : vm =\u003e vm.readonly(hostRequire(key)));\n```\n\n`diagnostics_channel`, `async_hooks`, and `perf_hooks` are not denied. These modules expose host process state rather than sandbox-local state.\n\nConfirmed examples:\n\n1. `diagnostics_channel` lets sandboxed code subscribe to Node.js HTTP diagnostic channels such as `http.server.request.start`. The sandbox receives host HTTP request objects and can read headers such as `Authorization` or session tokens.\n2. `async_hooks.executionAsyncResource()` lets sandboxed code read the current host `AsyncResource`. If the host stores request/user data on that resource, the sandbox can read it.\n3. `perf_hooks.performance.getEntriesByType(\u0027mark\u0027)` lets sandboxed code read host performance timeline entries.\n\n## PoC\n\nRun from the vm2 repository root:\n\n```bash\nnode poc/observability-builtins-info-leak.js\n```\n[observability-builtins-info-leak.js](https://github.com/user-attachments/files/27571259/observability-builtins-info-leak.js)\n\nThe PoC uses only the specific builtin being tested in each section.\n\nIt confirms:\n\n```text\ndiagnostics_channel: sandbox reads host HTTP request headers\nasync_hooks: sandbox reads host AsyncResource data\nperf_hooks: sandbox reads host performance mark names\n```\n\nExample impact from the PoC:\n\n```text\nauthorization: Bearer HOST_HTTP_SECRET_...\nx-session-token: HOST_HTTP_SECRET_...\n```\n\nThese values are sent to a host HTTP server, but the sandbox reads them through `diagnostics_channel`.\n\n\u003cimg width=\"997\" height=\"566\" alt=\"Screenshot 2026-05-10 at 1 13 20\u202fPM\" src=\"https://github.com/user-attachments/assets/36a7d600-8b53-4bfe-ab06-4e6dcfad5015\" /\u003e\n\n## Impact\n\nAn attacker who can run untrusted JavaScript inside `NodeVM` with affected builtin settings can observe data from the host process.\n\nIn a real application, this may expose HTTP request headers, authorization tokens, session tokens, request context values, user identifiers, or other sensitive diagnostics data from the host application or from other users.\n\n## Suggested fix\n\nTreat process-wide observability modules as dangerous builtins for untrusted sandboxes.\n\nAt minimum, consider blocking:\n\n```text\ndiagnostics_channel\nasync_hooks\nperf_hooks\n```\n\nThese modules are not sandbox-local and can expose host process state across the vm2 boundary.",
"id": "GHSA-9g8x-92q2-p28f",
"modified": "2026-06-12T19:30:13Z",
"published": "2026-05-29T18:20:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-9g8x-92q2-p28f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47141"
},
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/commit/e1c48fce05189f48e71efbd32af0754efa4066bb"
},
{
"type": "PACKAGE",
"url": "https://github.com/patriksimek/vm2"
},
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "NodeVM observability builtins leak host process and HTTP request data"
}
GHSA-9GMC-P2C5-WM4V
Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-01-16 00:00In StatusBar.java, there is a possible disclosure of notification content on the lockscreen due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-189575031
{
"affected": [],
"aliases": [
"CVE-2021-39628"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-14T20:15:00Z",
"severity": "LOW"
},
"details": "In StatusBar.java, there is a possible disclosure of notification content on the lockscreen due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-189575031",
"id": "GHSA-9gmc-p2c5-wm4v",
"modified": "2022-01-16T00:00:49Z",
"published": "2022-01-15T00:01:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39628"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2022-01-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9H7C-FM35-PJFG
Vulnerability from github – Published: 2021-12-15 00:00 – Updated: 2021-12-21 00:01An issue was discovered in Listary through 6. An attacker can create a \.\pipe\Listary.listaryService named pipe and wait for a privileged user to open a session on the Listary installed host. Listary will automatically access the named pipe and the attacker will be able to duplicate the victim's token to impersonate him. This exploit is valid in certain Windows versions (Microsoft has patched the issue in later Windows 10 builds).
{
"affected": [],
"aliases": [
"CVE-2021-41065"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-14T16:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Listary through 6. An attacker can create a \\\\.\\pipe\\Listary.listaryService named pipe and wait for a privileged user to open a session on the Listary installed host. Listary will automatically access the named pipe and the attacker will be able to duplicate the victim\u0027s token to impersonate him. This exploit is valid in certain Windows versions (Microsoft has patched the issue in later Windows 10 builds).",
"id": "GHSA-9h7c-fm35-pjfg",
"modified": "2021-12-21T00:01:29Z",
"published": "2021-12-15T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41065"
},
{
"type": "WEB",
"url": "https://medium.com/@tomerp_77017/exploiting-listary-searching-your-way-to-system-privileges-8175af676c3e"
},
{
"type": "WEB",
"url": "https://www.listary.com/download"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.