CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1248 vulnerabilities reference this CWE, most recent first.
GHSA-WV3W-FCVM-P52V
Vulnerability from github – Published: 2021-12-15 00:01 – Updated: 2021-12-18 00:01A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal message broker system. This could allow an unauthenticated remote attacker to subscribe to arbitrary message queues.
{
"affected": [],
"aliases": [
"CVE-2021-44522"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-14T12:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions \u003c V1.6.284.0). Affected applications insufficiently limit the access to the internal message broker system. This could allow an unauthenticated remote attacker to subscribe to arbitrary message queues.",
"id": "GHSA-wv3w-fcvm-p52v",
"modified": "2021-12-18T00:01:57Z",
"published": "2021-12-15T00:01:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44522"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-463116.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WV48-PVF9-QV86
Vulnerability from github – Published: 2023-01-03 00:30 – Updated: 2023-01-09 21:30Inappropriate implementation in Paint in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to leak cross-origin data outside an iframe via a crafted HTML page. (Chrome security severity: Low)
{
"affected": [],
"aliases": [
"CVE-2022-4025"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-02T23:15:00Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in Paint in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to leak cross-origin data outside an iframe via a crafted HTML page. (Chrome security severity: Low)",
"id": "GHSA-wv48-pvf9-qv86",
"modified": "2023-01-09T21:30:22Z",
"published": "2023-01-03T00:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4025"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1260250"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WV7P-48P2-XRVW
Vulnerability from github – Published: 2022-04-28 00:00 – Updated: 2022-05-05 00:00IBM QRadar SIEM 7.3, 7.4, and 7.5 allows for users to access information across tenant and domain boundaries in some situations. IBM X-Force ID: 208397.
{
"affected": [],
"aliases": [
"CVE-2021-38874"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-27T16:15:00Z",
"severity": "MODERATE"
},
"details": "IBM QRadar SIEM 7.3, 7.4, and 7.5 allows for users to access information across tenant and domain boundaries in some situations. IBM X-Force ID: 208397.",
"id": "GHSA-wv7p-48p2-xrvw",
"modified": "2022-05-05T00:00:32Z",
"published": "2022-04-28T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38874"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/208397"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6574787"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WVVH-P7C3-9MR7
Vulnerability from github – Published: 2023-11-13 18:30 – Updated: 2023-11-13 18:30Use of implicit intent for sensitive communication vulnerability in startAgreeToDisclaimerActivity in Samsung Account prior to version 14.5.00.7 allows attackers to access arbitrary file with Samsung Account privilege.
{
"affected": [],
"aliases": [
"CVE-2023-42546"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T08:15:21Z",
"severity": "MODERATE"
},
"details": "Use of implicit intent for sensitive communication vulnerability in startAgreeToDisclaimerActivity in Samsung Account prior to version 14.5.00.7 allows attackers to access arbitrary file with Samsung Account privilege.",
"id": "GHSA-wvvh-p7c3-9mr7",
"modified": "2023-11-13T18:30:59Z",
"published": "2023-11-13T18:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42546"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WVW9-5VQ9-WMCQ
Vulnerability from github – Published: 2022-10-07 18:15 – Updated: 2022-10-10 00:00IBM QRadar SIEM 7.4 and 7.5 data node rebalancing does not function correctly when using encrypted hosts which could result in information disclosure. IBM X-Force ID: 225889.
{
"affected": [],
"aliases": [
"CVE-2022-22480"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-07T17:15:00Z",
"severity": "HIGH"
},
"details": "IBM QRadar SIEM 7.4 and 7.5 data node rebalancing does not function correctly when using encrypted hosts which could result in information disclosure. IBM X-Force ID: 225889.",
"id": "GHSA-wvw9-5vq9-wmcq",
"modified": "2022-10-10T00:00:32Z",
"published": "2022-10-07T18:15:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22480"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/225889"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6826695"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WWP8-3R8G-W274
Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-16 00:00Exposure of Sensitive Information in CSC application prior to SMR Jul-2022 Release 1 allows local attacker to access wifi information via unprotected intent broadcasting.
{
"affected": [],
"aliases": [
"CVE-2022-33694"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-12T14:15:00Z",
"severity": "LOW"
},
"details": "Exposure of Sensitive Information in CSC application prior to SMR Jul-2022 Release 1 allows local attacker to access wifi information via unprotected intent broadcasting.",
"id": "GHSA-wwp8-3r8g-w274",
"modified": "2022-07-16T00:00:22Z",
"published": "2022-07-13T00:01:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33694"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WWR3-QQ72-5VCC
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
{
"affected": [],
"aliases": [
"CVE-2021-39127"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-21T03:15:00Z",
"severity": "MODERATE"
},
"details": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.",
"id": "GHSA-wwr3-qq72-5vcc",
"modified": "2022-05-24T19:18:30Z",
"published": "2022-05-24T19:18:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39127"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/JRASERVER-72003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WX8F-P63X-543F
Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2024-08-01 09:30The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option.
{
"affected": [],
"aliases": [
"CVE-2022-24975"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-11T20:15:00Z",
"severity": "HIGH"
},
"details": "The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the \"GitBleed\" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option.",
"id": "GHSA-wx8f-p63x-543f",
"modified": "2024-08-01T09:30:48Z",
"published": "2022-02-12T00:00:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24975"
},
{
"type": "WEB",
"url": "https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/git/xmqq4k14qe9g.fsf%40gitster.g"
},
{
"type": "WEB",
"url": "https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations"
},
{
"type": "WEB",
"url": "https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WXCX-PQJC-2PP9
Vulnerability from github – Published: 2022-05-24 22:29 – Updated: 2022-07-13 00:01All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.
{
"affected": [],
"aliases": [
"CVE-2021-22146"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-21T15:15:00Z",
"severity": "HIGH"
},
"details": "All versions of Elastic Cloud Enterprise has the Elasticsearch \u201canonymous\u201d user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.",
"id": "GHSA-wxcx-pqjc-2pp9",
"modified": "2022-07-13T00:01:08Z",
"published": "2022-05-24T22:29:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22146"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210819-0005"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/163655/Elasticsearch-ECE-7.13.3-Database-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WXJ7-97FP-J53J
Vulnerability from github – Published: 2022-02-01 00:46 – Updated: 2022-02-07 21:20The package zip-local before 0.3.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) which can lead to an extraction of a crafted file outside the intended extraction directory.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "zip-local"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23484"
],
"database_specific": {
"cwe_ids": [
"CWE-29",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-31T19:55:36Z",
"nvd_published_at": "2022-01-28T22:15:00Z",
"severity": "CRITICAL"
},
"details": "The package zip-local before 0.3.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) which can lead to an extraction of a crafted file outside the intended extraction directory.",
"id": "GHSA-wxj7-97fp-j53j",
"modified": "2022-02-07T21:20:28Z",
"published": "2022-02-01T00:46:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23484"
},
{
"type": "WEB",
"url": "https://github.com/Mostafa-Samir/zip-local/commit/6bb9b59733df379ac168aa705790bd8339b4bf9b"
},
{
"type": "WEB",
"url": "https://github.com/Mostafa-Samir/zip-local/commit/949446a95a660c0752b1db0c654f0fd619ae6085"
},
{
"type": "PACKAGE",
"url": "https://github.com/Mostafa-Samir/zip-local"
},
{
"type": "WEB",
"url": "https://github.com/Mostafa-Samir/zip-local/blob/master/main.js%23L365"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-ZIPLOCAL-2327477"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Exposure of Resource to Wrong Sphere in Zip-Local"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.