CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-PF76-3JJ8-RPQG
Vulnerability from github – Published: 2023-11-01 03:31 – Updated: 2023-11-01 03:31Authenticated clients can read arbitrary files on the MAIN Computer system using the remote procedure call (RPC) of the InspectSetup service endpoint. The low privilege client is then allowed to read arbitrary files that they do not have authorization to read.
{
"affected": [],
"aliases": [
"CVE-2023-2622"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-01T03:15:07Z",
"severity": "LOW"
},
"details": "\nAuthenticated clients can read arbitrary files on the MAIN Computer\nsystem using the remote procedure call (RPC) of the InspectSetup\nservice endpoint. The low privilege client is then allowed to read arbitrary files that they do not have authorization to read.\n\n",
"id": "GHSA-pf76-3jj8-rpqg",
"modified": "2023-11-01T03:31:00Z",
"published": "2023-11-01T03:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2622"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177\u0026languageCode=en\u0026Preview=true"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PF7H-H2WQ-M7PG
Vulnerability from github – Published: 2021-11-21 00:00 – Updated: 2024-10-22 14:57An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "salt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3003.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21996"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-05T22:05:39Z",
"nvd_published_at": "2021-09-08T15:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.",
"id": "GHSA-pf7h-h2wq-m7pg",
"modified": "2024-10-22T14:57:24Z",
"published": "2021-11-21T00:00:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21996"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2021-318.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/saltstack/salt"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00019.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BUWUF5VTENNP2ZYZBVFKPSUHLKLUBD5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ACVT7M4YLZRLWWQ6SGRK3C6TOF4FXOXT"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MBAHHSGZLEJRCG4DX6J4RBWJAAWH55RQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BUWUF5VTENNP2ZYZBVFKPSUHLKLUBD5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ACVT7M4YLZRLWWQ6SGRK3C6TOF4FXOXT"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MBAHHSGZLEJRCG4DX6J4RBWJAAWH55RQ"
},
{
"type": "WEB",
"url": "https://saltproject.io/security_announcements/salt-security-advisory-2021-sep-02"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202310-22"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-5011"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Exposure of Resource to Wrong Sphere in salt"
}
GHSA-PF94-6V2V-CM3J
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-06-22 18:37In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEASE, and older unsupported versions, applications using type-level @RequestMappingannotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to @RequestMapping-annotated interface methods.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.4"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-openfeign-core"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.9"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-openfeign-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-22044"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-22T18:37:06Z",
"nvd_published_at": "2021-10-28T16:15:00Z",
"severity": "HIGH"
},
"details": "In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEASE, and older unsupported versions, applications using type-level `@RequestMapping`annotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to `@RequestMapping`-annotated interface methods.",
"id": "GHSA-pf94-6v2v-cm3j",
"modified": "2022-06-22T18:37:06Z",
"published": "2022-05-24T19:19:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22044"
},
{
"type": "WEB",
"url": "https://tanzu.vmware.com/security/cve-2021-22044"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Exposure of Resource to Wrong Sphere in Spring Cloud OpenFeign"
}
GHSA-PFGW-PM22-HFP2
Vulnerability from github – Published: 2022-04-30 18:16 – Updated: 2025-04-03 03:43Acme mini_httpd before 1.16 allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.
{
"affected": [],
"aliases": [
"CVE-2001-0893"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2001-11-13T05:00:00Z",
"severity": "MODERATE"
},
"details": "Acme mini_httpd before 1.16 allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.",
"id": "GHSA-pfgw-pm22-hfp2",
"modified": "2025-04-03T03:43:51Z",
"published": "2022-04-30T18:16:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2001-0893"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=100568999726036\u0026w=2"
},
{
"type": "WEB",
"url": "http://www.acme.com/software/mini_httpd"
},
{
"type": "WEB",
"url": "http://www.iss.net/security_center/static/7541.php"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PGMV-HX9G-JJHF
Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-04-03 23:59OpenShift: Install script has temporary file creation vulnerability which can result in arbitrary code execution
{
"affected": [],
"aliases": [
"CVE-2014-0023"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-15T15:15:00Z",
"severity": "HIGH"
},
"details": "OpenShift: Install script has temporary file creation vulnerability which can result in arbitrary code execution",
"id": "GHSA-pgmv-hx9g-jjhf",
"modified": "2024-04-03T23:59:07Z",
"published": "2022-05-17T19:57:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0023"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2014-0023"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PHG8-X4RR-QPGF
Vulnerability from github – Published: 2022-01-19 00:00 – Updated: 2023-08-08 15:31An issue was discovered in Delta RM 1.2. Using the /risque/risque/ajax-details endpoint, with a POST request indicating the risk to access with the id parameter, it is possible for users to access risks of other companies.
{
"affected": [],
"aliases": [
"CVE-2021-44838"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-18T20:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Delta RM 1.2. Using the /risque/risque/ajax-details endpoint, with a POST request indicating the risk to access with the id parameter, it is possible for users to access risks of other companies.",
"id": "GHSA-phg8-x4rr-qpgf",
"modified": "2023-08-08T15:31:37Z",
"published": "2022-01-19T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44838"
},
{
"type": "WEB",
"url": "https://gist.github.com/rntcruz23/6575c0ef45c30687c538361910bb8ab3"
},
{
"type": "WEB",
"url": "https://www.deltarm.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PHP6-9CG9-XVC8
Vulnerability from github – Published: 2022-09-01 00:00 – Updated: 2022-09-07 00:01Potential vulnerabilities have been identified in Micro Focus ArcSight Logger. The vulnerabilities could be remotely exploited resulting in Information Disclosure, or Self Cross-Site Scripting (XSS). This issue affects: Micro Focus ArcSight Logger versions prior to v7.2.2 version and prior versions.
{
"affected": [],
"aliases": [
"CVE-2022-26330"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-31T16:15:00Z",
"severity": "HIGH"
},
"details": "Potential vulnerabilities have been identified in Micro Focus ArcSight Logger. The vulnerabilities could be remotely exploited resulting in Information Disclosure, or Self Cross-Site Scripting (XSS). This issue affects: Micro Focus ArcSight Logger versions prior to v7.2.2 version and prior versions.",
"id": "GHSA-php6-9cg9-xvc8",
"modified": "2022-09-07T00:01:54Z",
"published": "2022-09-01T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26330"
},
{
"type": "WEB",
"url": "https://portal.microfocus.com/s/article/KM000010167?language=en_US"
},
{
"type": "WEB",
"url": "https://www.microfocus.com/support/downloads"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PJG2-878F-MVHC
Vulnerability from github – Published: 2022-08-06 00:00 – Updated: 2022-08-11 00:00PendingIntent hijacking vulnerability in releaseAlarm in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent.
{
"affected": [],
"aliases": [
"CVE-2022-36829"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-927"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-05T16:15:00Z",
"severity": "MODERATE"
},
"details": "PendingIntent hijacking vulnerability in releaseAlarm in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent.",
"id": "GHSA-pjg2-878f-mvhc",
"modified": "2022-08-11T00:00:34Z",
"published": "2022-08-06T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36829"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=08"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year==2022\u0026month=08"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PJH7-QQHQ-G74C
Vulnerability from github – Published: 2023-06-23 18:30 – Updated: 2024-04-04 05:07The issue was addressed with improved checks. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, watchOS 9.5, tvOS 16.5. A person with physical access to a device may be able to view contact information from the lock screen
{
"affected": [],
"aliases": [
"CVE-2023-32394"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-23T18:15:12Z",
"severity": "LOW"
},
"details": "The issue was addressed with improved checks. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, watchOS 9.5, tvOS 16.5. A person with physical access to a device may be able to view contact information from the lock screen",
"id": "GHSA-pjh7-qqhq-g74c",
"modified": "2024-04-04T05:07:55Z",
"published": "2023-06-23T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32394"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213757"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213758"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213761"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213764"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PMPF-MG57-995X
Vulnerability from github – Published: 2023-03-14 18:30 – Updated: 2023-03-14 18:30Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-24863"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-14T17:15:00Z",
"severity": "MODERATE"
},
"details": "Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability",
"id": "GHSA-pmpf-mg57-995x",
"modified": "2023-03-14T18:30:20Z",
"published": "2023-03-14T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24863"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24863"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.