Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1251 vulnerabilities reference this CWE, most recent first.

GHSA-WJM9-95FJ-M85F

Vulnerability from github – Published: 2022-09-15 00:00 – Updated: 2022-09-18 00:00
VLAI
Details

IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 210163.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38924"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-14T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 210163.",
  "id": "GHSA-wjm9-95fj-m85f",
  "modified": "2022-09-18T00:00:32Z",
  "published": "2022-09-15T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38924"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/210163"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6620059"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WJPF-P2M9-5WMV

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-07-13 00:01
VLAI
Details

In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39898"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-05T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from.",
  "id": "GHSA-wjpf-p2m9-5wmv",
  "modified": "2022-07-13T00:01:38Z",
  "published": "2022-05-24T19:19:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39898"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/698068"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39898.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/33734"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WM5J-XH87-7H84

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2023-03-31 18:30
VLAI
Details

An information disclosure vulnerability exists within Dut Computer Control Engineering Co.'s PLC MAC1100.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-18754"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-13T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "An information disclosure vulnerability exists within Dut Computer Control Engineering Co.\u0027s PLC MAC1100.",
  "id": "GHSA-wm5j-xh87-7h84",
  "modified": "2023-03-31T18:30:22Z",
  "published": "2022-05-24T19:11:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18754"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Ni9htMar3/vulnerability/blob/master/PLC/DCCE/DCCE%20MAC1100%20PLC_leak.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMFX-XJGG-239P

Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-03 18:30
VLAI
Details

An improper access control vulnerability was identified in the Realtek audio driver. A local authenticated malicious user may potentially exploit this vulnerability by waiting for an administrator to launch the application and attach to the process to elevate privileges on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34405"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-26T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "An improper access control vulnerability was identified in the Realtek audio driver. A local authenticated malicious user may potentially exploit this vulnerability by waiting for an administrator to launch the application and attach to the process to elevate privileges on the system.",
  "id": "GHSA-wmfx-xjgg-239p",
  "modified": "2023-02-03T18:30:25Z",
  "published": "2023-01-26T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34405"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000205721/dsa-2022-316-dell-client-security-update-for-a-realtek-high-definition-audio-driver-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMJF-JPJJ-9F3J

Vulnerability from github – Published: 2017-11-15 20:39 – Updated: 2023-08-28 13:43
VLAI
Summary
RuboCop gem Insecure use of /tmp
Details

RuboCop 0.48.1 and earlier does not use /tmp in safe way, allowing local users to exploit this to tamper with cache files belonging to other users.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rubocop"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.49.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-8418"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:00:50Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "RuboCop 0.48.1 and earlier does not use /tmp in safe way, allowing local users to exploit this to tamper with cache files belonging to other users.",
  "id": "GHSA-wmjf-jpjj-9f3j",
  "modified": "2023-08-28T13:43:41Z",
  "published": "2017-11-15T20:39:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8418"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bbatsov/rubocop/issues/4336"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubocop/rubocop/commit/dcb258fabd5f2624c1ea0e1634763094590c09d7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bbatsov/rubocop"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubocop/CVE-2017-8418.yml"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/05/01/14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RuboCop gem Insecure use of /tmp"
}

GHSA-WMM4-PVRX-WVV8

Vulnerability from github – Published: 2026-04-01 18:36 – Updated: 2026-04-01 18:36
VLAI
Details

A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host.

This vulnerability is due to the unintentional exposure of an internal service. An attacker could exploit this vulnerability by sending a crafted request to the API of the exposed service. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20160"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-01T17:28:31Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host.\n\nThis vulnerability is due to the unintentional exposure of an\u0026nbsp;internal service. An attacker could exploit this vulnerability by sending a crafted request to the API of the exposed service. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.",
  "id": "GHSA-wmm4-pvrx-wvv8",
  "modified": "2026-04-01T18:36:38Z",
  "published": "2026-04-01T18:36:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20160"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssm-cli-execution-cHUcWuNr"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMMG-RJJC-VQH8

Vulnerability from github – Published: 2023-03-14 18:30 – Updated: 2023-03-14 18:30
VLAI
Details

Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23409"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-14T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability",
  "id": "GHSA-wmmg-rjjc-vqh8",
  "modified": "2023-03-14T18:30:19Z",
  "published": "2023-03-14T18:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23409"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23409"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WP6C-P3VM-Q9JM

Vulnerability from github – Published: 2022-05-05 00:28 – Updated: 2024-04-03 23:57
VLAI
Details

An insecurity temporary file vulnerability exists in RHQ Mongo DB Drift Server through 2013-09-25 when unpacking zipped files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-4374"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-04T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "An insecurity temporary file vulnerability exists in RHQ Mongo DB Drift Server through 2013-09-25 when unpacking zipped files.",
  "id": "GHSA-wp6c-p3vm-q9jm",
  "modified": "2024-04-03T23:57:06Z",
  "published": "2022-05-05T00:28:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4374"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2013-4374"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4374"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WPC8-GX68-F9R6

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02
VLAI
Details

Information disclosure in the TeamCity plugin for IntelliJ before 2020.2.2.85899 was possible because a local temporary file had Insecure Permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-26309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-11T12:15:00Z",
    "severity": "LOW"
  },
  "details": "Information disclosure in the TeamCity plugin for IntelliJ before 2020.2.2.85899 was possible because a local temporary file had Insecure Permissions.",
  "id": "GHSA-wpc8-gx68-f9r6",
  "modified": "2022-05-24T19:02:10Z",
  "published": "2022-05-24T19:02:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26309"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com/blog/2021/05/07/jetbrains-security-bulletin-q1-2021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WR5G-3V8J-6J7J

Vulnerability from github – Published: 2024-11-13 21:30 – Updated: 2024-11-13 21:30
VLAI
Details

Exposure of resource to wrong sphere in some Intel(R) processors with Intel(R) ACTM may allow a privileged user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-24985"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-13T21:15:11Z",
    "severity": "HIGH"
  },
  "details": "Exposure of resource to wrong sphere in some Intel(R) processors with Intel(R) ACTM may allow a privileged user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-wr5g-3v8j-6j7j",
  "modified": "2024-11-13T21:30:35Z",
  "published": "2024-11-13T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24985"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01111.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.