Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1252 vulnerabilities reference this CWE, most recent first.

GHSA-HHV4-6PCH-F75F

Vulnerability from github – Published: 2021-12-24 00:00 – Updated: 2022-01-06 00:01
VLAI
Details

This issue was addressed with a new entitlement. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra, iOS 12.4, tvOS 12.4. A local user may be able to read a persistent account identifier.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-23T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed with a new entitlement. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra, iOS 12.4, tvOS 12.4. A local user may be able to read a persistent account identifier.",
  "id": "GHSA-hhv4-6pch-f75f",
  "modified": "2022-01-06T00:01:17Z",
  "published": "2021-12-24T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8702"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT210346"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT210348"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT210351"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HJ65-M3W6-QJ7X

Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-04-03 23:59
VLAI
Details

Pen 0.18.0 has Insecure Temporary File Creation vulnerabilities

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-2387"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-13T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Pen 0.18.0 has Insecure Temporary File Creation vulnerabilities",
  "id": "GHSA-hj65-m3w6-qj7x",
  "modified": "2024-04-03T23:59:43Z",
  "published": "2022-05-17T19:57:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2387"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-2387"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2014-2387"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91992"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2014-2387"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/03/13/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/03/14/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/66214"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJ9J-3XXG-6259

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2025-10-22 00:32
VLAI
Details

A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20124"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-13T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.",
  "id": "GHSA-hj9j-3xxg-6259",
  "modified": "2025-10-22T00:32:25Z",
  "published": "2022-05-24T19:17:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20124"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20124"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2021-42"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJ9M-CRM5-8427

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-06-29 00:00
VLAI
Details

IBM Guardium Data Encryption (GDE) 3.0.0.3 and 4.0.0.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 196218.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20416"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-07T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Guardium Data Encryption (GDE) 3.0.0.3 and 4.0.0.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 196218.",
  "id": "GHSA-hj9m-crm5-8427",
  "modified": "2022-06-29T00:00:40Z",
  "published": "2022-05-24T19:06:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20416"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196218"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6469407"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJFJ-25P5-2P2V

Vulnerability from github – Published: 2022-10-26 12:00 – Updated: 2022-10-26 19:00
VLAI
Details

An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27912"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-25T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.",
  "id": "GHSA-hjfj-25p5-2p2v",
  "modified": "2022-10-26T19:00:42Z",
  "published": "2022-10-26T12:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27912"
    },
    {
      "type": "WEB",
      "url": "https://developer.joomla.org/security-centre/885-20221001-core-disclosure-of-critical-information-in-debug-mode.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HM3X-JWWF-JPR9

Vulnerability from github – Published: 2022-03-24 00:00 – Updated: 2022-03-31 20:43
VLAI
Summary
Exposure of Sensitive Information to an Unauthorized Actor in OpenStack tripleo-heat-templates
Details

An information exposure flaw in openstack-tripleo-heat-templates allows an external user to discover the internal IP or hostname. An attacker could exploit this by checking the www_authenticate_uri parameter (which is visible to all end users) in configuration files. This would give sensitive information which may aid in additional system exploitation. A patch is available on the master branch and anticipated to be part of version 11.6.1.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.6.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "tripleo-heat-templates"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-4180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-31T20:43:24Z",
    "nvd_published_at": "2022-03-23T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information exposure flaw in openstack-tripleo-heat-templates allows an external user to discover the internal IP or hostname. An attacker could exploit this by checking the `www_authenticate_uri parameter` (which is visible to all end users) in configuration files. This would give sensitive information which may aid in additional system exploitation. A patch is available on the `master` branch and anticipated to be part of version 11.6.1.",
  "id": "GHSA-hm3x-jwwf-jpr9",
  "modified": "2022-03-31T20:43:24Z",
  "published": "2022-03-24T00:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4180"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/tripleo-heat-templates/commit/160936df134a471cfd245bd60964046027a571ea"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/tripleo-heat-templates/commit/2b9461e97fc5c4ceb0848d1cc4484f656bb85515"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/tripleo/+bug/1955397"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035793"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/tripleo-heat-templates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Exposure of Sensitive Information to an Unauthorized Actor in OpenStack tripleo-heat-templates"
}

GHSA-HM77-HG92-MP58

Vulnerability from github – Published: 2022-05-11 00:00 – Updated: 2025-01-02 21:31
VLAI
Details

Windows Failover Cluster Information Disclosure Vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-10T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Windows Failover Cluster Information Disclosure Vulnerability.",
  "id": "GHSA-hm77-hg92-mp58",
  "modified": "2025-01-02T21:31:33Z",
  "published": "2022-05-11T00:00:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29102"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29102"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29102"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HM8W-PXCF-MJ62

Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 03:59
VLAI
Details

Exposure of data element to wrong session in the Intel DCM software before version 5.0.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40210"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-488",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-10T14:15:14Z",
    "severity": "HIGH"
  },
  "details": "Exposure of data element to wrong session in the Intel DCM software before version 5.0.1 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-hm8w-pxcf-mj62",
  "modified": "2024-04-04T03:59:29Z",
  "published": "2023-05-10T15:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40210"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00772.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HMV8-293H-5VRJ

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2026-07-09 18:31
VLAI
Details

A Denial Of Service vulnerability exists in PcVue from version 8.10 onward, due to the ability for a non-authorized user to modify information used to validate messages sent by legitimate web clients.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-26868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668",
      "CWE-767"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-12T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "A Denial Of Service vulnerability exists in PcVue from version 8.10 onward, due to the ability for a non-authorized user to modify information used to validate messages sent by legitimate web clients.",
  "id": "GHSA-hmv8-293h-5vrj",
  "modified": "2026-07-09T18:31:21Z",
  "published": "2022-05-24T17:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26868"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2020/10/09/klcert-20-016-denial-of-service-in-arc-informatique-pcvue"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-308-03"
    },
    {
      "type": "WEB",
      "url": "https://www.pcvuesolutions.com/index.php/support-a-services/resources/security-alerts-95138"
    },
    {
      "type": "WEB",
      "url": "https://www.pcvuesolutions.com/security"
    },
    {
      "type": "WEB",
      "url": "https://www.pcvuesolutions.com/support/index.php/en/security-bulletin/1076-security-bulletin-2020-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HP3Q-RGPX-37WQ

Vulnerability from github – Published: 2022-10-07 18:15 – Updated: 2022-10-12 12:00
VLAI
Details

Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-39866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-07T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.",
  "id": "GHSA-hp3q-rgpx-37wq",
  "modified": "2022-10-12T12:00:24Z",
  "published": "2022-10-07T18:15:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39866"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.