CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-RPJH-XM3C-R22W
Vulnerability from github – Published: 2023-03-01 15:30 – Updated: 2023-03-10 03:30Dell NetWorker versions 19.5 and earlier contain 'Apache Tomcat' version disclosure vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and may launch target-specific attacks.
{
"affected": [],
"aliases": [
"CVE-2023-25544"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-01T15:15:00Z",
"severity": "MODERATE"
},
"details": "Dell NetWorker versions 19.5 and earlier contain \u0027Apache Tomcat\u0027 version disclosure vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and may launch target-specific attacks.",
"id": "GHSA-rpjh-xm3c-r22w",
"modified": "2023-03-10T03:30:14Z",
"published": "2023-03-01T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25544"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000210471/dsa-2023-058-dell-networker-security-update-for-version-disclosure-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RQH4-X2V7-J34G
Vulnerability from github – Published: 2024-01-12 00:30 – Updated: 2024-05-20 12:30A flaw was found in the blkgs destruction path in block/blk-cgroup.c in the Linux kernel, leading to a cgroup blkio memory leakage problem. When a cgroup is being destroyed, cgroup_rstat_flush() is only called at css_release_work_fn(), which is called when the blkcg reference count reaches 0. This circular dependency will prevent blkcg and some blkgs from being freed after they are made offline. This issue may allow an attacker with a local access to cause system instability, such as an out of memory error.
{
"affected": [],
"aliases": [
"CVE-2024-0443"
],
"database_specific": {
"cwe_ids": [
"CWE-402",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-12T00:15:45Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the blkgs destruction path in block/blk-cgroup.c in the Linux kernel, leading to a cgroup blkio memory leakage problem. When a cgroup is being destroyed, cgroup_rstat_flush() is only called at css_release_work_fn(), which is called when the blkcg reference count reaches 0. This circular dependency will prevent blkcg and some blkgs from being freed after they are made offline. This issue may allow an attacker with a local access to cause system instability, such as an out of memory error.",
"id": "GHSA-rqh4-x2v7-j34g",
"modified": "2024-05-20T12:30:27Z",
"published": "2024-01-12T00:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0443"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:6583"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7077"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7370"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-0443"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257968"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/linux-block/20221215033132.230023-3-longman@redhat.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RR7P-XGF7-GRW4
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-08-31 00:00A cache configuration issue prior to WhatsApp for Android v2.21.4.18 and WhatsApp Business for Android v2.21.4.18 may have allowed a third party with access to the device’s external storage to read cached TLS material.
{
"affected": [],
"aliases": [
"CVE-2021-24027"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-06T17:15:00Z",
"severity": "HIGH"
},
"details": "A cache configuration issue prior to WhatsApp for Android v2.21.4.18 and WhatsApp Business for Android v2.21.4.18 may have allowed a third party with access to the device\u2019s external storage to read cached TLS material.",
"id": "GHSA-rr7p-xgf7-grw4",
"modified": "2022-08-31T00:00:19Z",
"published": "2022-05-24T22:28:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24027"
},
{
"type": "WEB",
"url": "https://www.whatsapp.com/security/advisories/2021"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RRX8-HRJ2-395Q
Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2022-09-14 00:00Windows Graphics Component Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-34728, CVE-2022-35837.
{
"affected": [],
"aliases": [
"CVE-2022-38006"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-13T19:15:00Z",
"severity": "MODERATE"
},
"details": "Windows Graphics Component Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-34728, CVE-2022-35837.",
"id": "GHSA-rrx8-hrj2-395q",
"modified": "2022-09-14T00:00:45Z",
"published": "2022-09-14T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38006"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38006"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RRXP-XQ3M-923G
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-07-13 00:00In getEndItemSliceAction of MediaOutputSlice.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-175124820
{
"affected": [],
"aliases": [
"CVE-2021-0552"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-22T12:15:00Z",
"severity": "MODERATE"
},
"details": "In getEndItemSliceAction of MediaOutputSlice.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-175124820",
"id": "GHSA-rrxp-xq3m-923g",
"modified": "2022-07-13T00:00:59Z",
"published": "2022-05-24T19:05:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0552"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RV55-4JCM-GVQF
Vulnerability from github – Published: 2022-06-18 00:00 – Updated: 2022-06-29 00:00IBM Robotic Process Automation 20.10.0, 20.12.5, 21.0.0, 21.0.1, and 21.0.2 contains a vulnerability that could allow a user to obtain sensitive information due to information properly masked in the control center UI. IBM X-Force ID: 227294.
{
"affected": [],
"aliases": [
"CVE-2022-30607"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-17T16:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Robotic Process Automation 20.10.0, 20.12.5, 21.0.0, 21.0.1, and 21.0.2 contains a vulnerability that could allow a user to obtain sensitive information due to information properly masked in the control center UI. IBM X-Force ID: 227294.",
"id": "GHSA-rv55-4jcm-gvqf",
"modified": "2022-06-29T00:00:57Z",
"published": "2022-06-18T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30607"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/227294"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6595759"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RVG2-VH9M-CQ32
Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2023-02-13 00:30LibreOffice and OpenOffice automatically open embedded content
{
"affected": [],
"aliases": [
"CVE-2012-5639"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-20T14:15:00Z",
"severity": "MODERATE"
},
"details": "LibreOffice and OpenOffice automatically open embedded content",
"id": "GHSA-rvg2-vh9m-cq32",
"modified": "2023-02-13T00:30:40Z",
"published": "2022-04-23T00:40:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5639"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2012-5639"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5639"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r253f92d0e6511d07a79774002e1d9db1d20b24bff27914a5adb14ccb%40%3Cissues.openoffice.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r253f92d0e6511d07a79774002e1d9db1d20b24bff27914a5adb14ccb@%3Cissues.openoffice.apache.org%3E"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2012-5639"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/12/14/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/12/28/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/03/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/03/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RVV5-9RJ9-WJR2
Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2025-04-11 03:56Google Chrome 17.0.963.66 and earlier allows remote attackers to bypass the sandbox protection mechanism by leveraging access to a sandboxed process, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2012. NOTE: the primary affected product may be clarified later; it was not identified by the researcher, who reportedly stated "it really doesn't matter if it's third-party code."
{
"affected": [],
"aliases": [
"CVE-2012-1846"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-03-22T16:55:00Z",
"severity": "HIGH"
},
"details": "Google Chrome 17.0.963.66 and earlier allows remote attackers to bypass the sandbox protection mechanism by leveraging access to a sandboxed process, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2012. NOTE: the primary affected product may be clarified later; it was not identified by the researcher, who reportedly stated \"it really doesn\u0027t matter if it\u0027s third-party code.\"",
"id": "GHSA-rvv5-9rj9-wjr2",
"modified": "2025-04-11T03:56:28Z",
"published": "2022-05-13T01:27:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1846"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74324"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14940"
},
{
"type": "WEB",
"url": "http://pwn2own.zerodayinitiative.com/status.html"
},
{
"type": "WEB",
"url": "http://twitter.com/vupen/statuses/177576000761237505"
},
{
"type": "WEB",
"url": "http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees"
},
{
"type": "WEB",
"url": "http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-sandbox-first-to-fall/10588"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RWFM-QQ63-7JQR
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09A component of the HarmonyOS has a External Control of System or Configuration Setting vulnerability. Local attackers may exploit this vulnerability to cause the underlying trust of the application trustlist mechanism is missing..
{
"affected": [],
"aliases": [
"CVE-2021-22420"
],
"database_specific": {
"cwe_ids": [
"CWE-610",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-03T18:15:00Z",
"severity": "HIGH"
},
"details": "A component of the HarmonyOS has a External Control of System or Configuration Setting vulnerability. Local attackers may exploit this vulnerability to cause the underlying trust of the application trustlist mechanism is missing..",
"id": "GHSA-rwfm-qq63-7jqr",
"modified": "2022-05-24T19:09:49Z",
"published": "2022-05-24T19:09:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22420"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/cn/docs/security/update/oem_security_update_phone_202106-0000001165452077"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RWGH-9H84-FCV3
Vulnerability from github – Published: 2023-06-06 09:30 – Updated: 2024-04-04 04:34Information disclosure in Kernel due to indirect branch misprediction.
{
"affected": [],
"aliases": [
"CVE-2022-40523"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-06T08:15:11Z",
"severity": "MODERATE"
},
"details": "Information disclosure in Kernel due to indirect branch misprediction.",
"id": "GHSA-rwgh-9h84-fcv3",
"modified": "2024-04-04T04:34:12Z",
"published": "2023-06-06T09:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40523"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/june-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.