CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1252 vulnerabilities reference this CWE, most recent first.
GHSA-HHV4-6PCH-F75F
Vulnerability from github – Published: 2021-12-24 00:00 – Updated: 2022-01-06 00:01This issue was addressed with a new entitlement. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra, iOS 12.4, tvOS 12.4. A local user may be able to read a persistent account identifier.
{
"affected": [],
"aliases": [
"CVE-2019-8702"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-23T20:15:00Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with a new entitlement. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra, iOS 12.4, tvOS 12.4. A local user may be able to read a persistent account identifier.",
"id": "GHSA-hhv4-6pch-f75f",
"modified": "2022-01-06T00:01:17Z",
"published": "2021-12-24T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8702"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210346"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210348"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210351"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HJ65-M3W6-QJ7X
Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-04-03 23:59Pen 0.18.0 has Insecure Temporary File Creation vulnerabilities
{
"affected": [],
"aliases": [
"CVE-2014-2387"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-13T14:15:00Z",
"severity": "MODERATE"
},
"details": "Pen 0.18.0 has Insecure Temporary File Creation vulnerabilities",
"id": "GHSA-hj65-m3w6-qj7x",
"modified": "2024-04-03T23:59:43Z",
"published": "2022-05-17T19:57:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2387"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-2387"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2014-2387"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91992"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2014-2387"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/03/13/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/03/14/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/66214"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HJ9J-3XXG-6259
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2025-10-22 00:32A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
{
"affected": [],
"aliases": [
"CVE-2021-20124"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-13T16:15:00Z",
"severity": "HIGH"
},
"details": "A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.",
"id": "GHSA-hj9j-3xxg-6259",
"modified": "2025-10-22T00:32:25Z",
"published": "2022-05-24T19:17:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20124"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20124"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2021-42"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HJ9M-CRM5-8427
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-06-29 00:00IBM Guardium Data Encryption (GDE) 3.0.0.3 and 4.0.0.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 196218.
{
"affected": [],
"aliases": [
"CVE-2021-20416"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-07T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Guardium Data Encryption (GDE) 3.0.0.3 and 4.0.0.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 196218.",
"id": "GHSA-hj9m-crm5-8427",
"modified": "2022-06-29T00:00:40Z",
"published": "2022-05-24T19:06:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20416"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196218"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6469407"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HJFJ-25P5-2P2V
Vulnerability from github – Published: 2022-10-26 12:00 – Updated: 2022-10-26 19:00An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.
{
"affected": [],
"aliases": [
"CVE-2022-27912"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-25T19:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.",
"id": "GHSA-hjfj-25p5-2p2v",
"modified": "2022-10-26T19:00:42Z",
"published": "2022-10-26T12:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27912"
},
{
"type": "WEB",
"url": "https://developer.joomla.org/security-centre/885-20221001-core-disclosure-of-critical-information-in-debug-mode.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HM3X-JWWF-JPR9
Vulnerability from github – Published: 2022-03-24 00:00 – Updated: 2022-03-31 20:43An information exposure flaw in openstack-tripleo-heat-templates allows an external user to discover the internal IP or hostname. An attacker could exploit this by checking the www_authenticate_uri parameter (which is visible to all end users) in configuration files. This would give sensitive information which may aid in additional system exploitation. A patch is available on the master branch and anticipated to be part of version 11.6.1.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.6.0"
},
"package": {
"ecosystem": "PyPI",
"name": "tripleo-heat-templates"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-4180"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-31T20:43:24Z",
"nvd_published_at": "2022-03-23T20:15:00Z",
"severity": "MODERATE"
},
"details": "An information exposure flaw in openstack-tripleo-heat-templates allows an external user to discover the internal IP or hostname. An attacker could exploit this by checking the `www_authenticate_uri parameter` (which is visible to all end users) in configuration files. This would give sensitive information which may aid in additional system exploitation. A patch is available on the `master` branch and anticipated to be part of version 11.6.1.",
"id": "GHSA-hm3x-jwwf-jpr9",
"modified": "2022-03-31T20:43:24Z",
"published": "2022-03-24T00:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4180"
},
{
"type": "WEB",
"url": "https://github.com/openstack/tripleo-heat-templates/commit/160936df134a471cfd245bd60964046027a571ea"
},
{
"type": "WEB",
"url": "https://github.com/openstack/tripleo-heat-templates/commit/2b9461e97fc5c4ceb0848d1cc4484f656bb85515"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/tripleo/+bug/1955397"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035793"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/tripleo-heat-templates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Exposure of Sensitive Information to an Unauthorized Actor in OpenStack tripleo-heat-templates"
}
GHSA-HM77-HG92-MP58
Vulnerability from github – Published: 2022-05-11 00:00 – Updated: 2025-01-02 21:31Windows Failover Cluster Information Disclosure Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-29102"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-10T21:15:00Z",
"severity": "MODERATE"
},
"details": "Windows Failover Cluster Information Disclosure Vulnerability.",
"id": "GHSA-hm77-hg92-mp58",
"modified": "2025-01-02T21:31:33Z",
"published": "2022-05-11T00:00:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29102"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29102"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29102"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HM8W-PXCF-MJ62
Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 03:59Exposure of data element to wrong session in the Intel DCM software before version 5.0.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2022-40210"
],
"database_specific": {
"cwe_ids": [
"CWE-488",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-10T14:15:14Z",
"severity": "HIGH"
},
"details": "Exposure of data element to wrong session in the Intel DCM software before version 5.0.1 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-hm8w-pxcf-mj62",
"modified": "2024-04-04T03:59:29Z",
"published": "2023-05-10T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40210"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00772.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-HMV8-293H-5VRJ
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2026-07-09 18:31A Denial Of Service vulnerability exists in PcVue from version 8.10 onward, due to the ability for a non-authorized user to modify information used to validate messages sent by legitimate web clients.
{
"affected": [],
"aliases": [
"CVE-2020-26868"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-767"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-12T14:15:00Z",
"severity": "HIGH"
},
"details": "A Denial Of Service vulnerability exists in PcVue from version 8.10 onward, due to the ability for a non-authorized user to modify information used to validate messages sent by legitimate web clients.",
"id": "GHSA-hmv8-293h-5vrj",
"modified": "2026-07-09T18:31:21Z",
"published": "2022-05-24T17:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26868"
},
{
"type": "WEB",
"url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2020/10/09/klcert-20-016-denial-of-service-in-arc-informatique-pcvue"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-308-03"
},
{
"type": "WEB",
"url": "https://www.pcvuesolutions.com/index.php/support-a-services/resources/security-alerts-95138"
},
{
"type": "WEB",
"url": "https://www.pcvuesolutions.com/security"
},
{
"type": "WEB",
"url": "https://www.pcvuesolutions.com/support/index.php/en/security-bulletin/1076-security-bulletin-2020-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HP3Q-RGPX-37WQ
Vulnerability from github – Published: 2022-10-07 18:15 – Updated: 2022-10-12 12:00Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.
{
"affected": [],
"aliases": [
"CVE-2022-39866"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-07T15:15:00Z",
"severity": "HIGH"
},
"details": "Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.",
"id": "GHSA-hp3q-rgpx-37wq",
"modified": "2022-10-12T12:00:24Z",
"published": "2022-10-07T18:15:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39866"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.