Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1248 vulnerabilities reference this CWE, most recent first.

GHSA-2W7Q-MJ4W-9CM2

Vulnerability from github – Published: 2024-01-12 15:30 – Updated: 2024-01-12 15:30
VLAI
Details

An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6955"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-668",
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-12T14:15:49Z",
    "severity": "MODERATE"
  },
  "details": "An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group. ",
  "id": "GHSA-2w7q-mj4w-9cm2",
  "modified": "2024-01-12T15:30:32Z",
  "published": "2024-01-12T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6955"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/432188"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2WQ3-R2PM-PWFM

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-07-13 00:01
VLAI
Details

Inappropriate implementation in Navigation in Google Chrome prior to 93.0.4577.63 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30615"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-03T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Inappropriate implementation in Navigation in Google Chrome prior to 93.0.4577.63 allowed a remote attacker to leak cross-origin data via a crafted HTML page.",
  "id": "GHSA-2wq3-r2pm-pwfm",
  "modified": "2022-07-13T00:01:23Z",
  "published": "2022-05-24T19:12:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30615"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2021/08/stable-channel-update-for-desktop_31.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1208614"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LVY4WIWTVVYKQMROJJS365TZBKEARCF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJPUSAWIJMQFBQQQYXAICLI4EKFQOH6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QW4R2K5HVJ4R6XDZYOJCCFPIN2XHNS3L"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30615"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2WR2-8QJQ-GH55

Vulnerability from github – Published: 2021-12-16 15:27 – Updated: 2021-12-06 21:35
VLAI
Summary
Exposure of Resource to Wrong Sphere in org.craftercms:crafter-search
Details

Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.craftercms:crafter-search"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.1.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23264"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-402",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-06T21:35:33Z",
    "nvd_published_at": "2021-12-02T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.",
  "id": "GHSA-2wr2-8qjq-gh55",
  "modified": "2021-12-06T21:35:33Z",
  "published": "2021-12-16T15:27:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23264"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftercms/craftercms/commit/0e256ef0372c7be9d6e2fefc4652dd4fd94770a1"
    },
    {
      "type": "WEB",
      "url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120107"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Exposure of Resource to Wrong Sphere in org.craftercms:crafter-search"
}

GHSA-2XGX-58X8-9QQR

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-07-13 00:01
VLAI
Details

The issue was addressed with improved permissions logic. This issue is fixed in iOS 15 and iPadOS 15. An attacker with physical access to a device may be able to see private contact information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30816"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-28T19:15:00Z",
    "severity": "LOW"
  },
  "details": "The issue was addressed with improved permissions logic. This issue is fixed in iOS 15 and iPadOS 15. An attacker with physical access to a device may be able to see private contact information.",
  "id": "GHSA-2xgx-58x8-9qqr",
  "modified": "2022-07-13T00:01:24Z",
  "published": "2022-05-24T19:19:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30816"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT212814"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2XWP-3V4P-X875

Vulnerability from github – Published: 2023-01-18 12:30 – Updated: 2023-01-26 18:30
VLAI
Details

Dell command configuration, version 4.8 and prior, contains improper folder permission when installed not to default path but to non-secured path which leads to privilege escalation. This is critical severity vulnerability as it allows non-admin to modify the files inside installed directory and able to make application unavailable for all users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-668",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-18T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dell command configuration, version 4.8 and prior, contains improper folder permission when installed not to default path but to non-secured path which leads to privilege escalation. This is critical severity vulnerability as it allows non-admin to modify the files inside installed directory and able to make application unavailable for all users.",
  "id": "GHSA-2xwp-3v4p-x875",
  "modified": "2023-01-26T18:30:48Z",
  "published": "2023-01-18T12:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34457"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000205633"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32P7-7Q74-W9JV

Vulnerability from github – Published: 2023-03-16 15:30 – Updated: 2023-03-24 15:30
VLAI
Details

An issue found in DepositGame v.1.0 allows an attacker to gain sensitive information via the GetBonusWithdraw and withdraw functions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-22647"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-16T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue found in DepositGame v.1.0 allows an attacker to gain sensitive information via the GetBonusWithdraw and withdraw functions.",
  "id": "GHSA-32p7-7q74-w9jv",
  "modified": "2023-03-24T15:30:20Z",
  "published": "2023-03-16T15:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22647"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Messi-Q/CVE-Application/blob/master/DepositGame-reentrancy/README.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-339Q-62WM-C39W

Vulnerability from github – Published: 2022-07-15 21:32 – Updated: 2022-09-08 14:24
VLAI
Summary
Undertow vulnerable to Denial of Service (DoS) attacks
Details

Undertow client side invocation timeout raised when calling over HTTP2, this vulnerability can allow attacker to carry out denial of service (DoS) attacks in versions less than 2.2.15 Final.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.undertow:undertow-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3859"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-214",
      "CWE-400",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-15T21:32:13Z",
    "nvd_published_at": "2022-08-26T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Undertow client side invocation timeout raised when calling over HTTP2, this vulnerability can allow attacker to carry out denial of service (DoS) attacks in versions less than 2.2.15 Final.",
  "id": "GHSA-339q-62wm-c39w",
  "modified": "2022-09-08T14:24:12Z",
  "published": "2022-07-15T21:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859"
    },
    {
      "type": "WEB",
      "url": "https://github.com/undertow-io/undertow/pull/1296"
    },
    {
      "type": "WEB",
      "url": "https://github.com/undertow-io/undertow/commit/db0f5be43f8e2a4b88fbedd2eb6d5a95a29ceaa8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2021-3859"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/undertow-io/undertow"
    },
    {
      "type": "WEB",
      "url": "https://issues.redhat.com/browse/UNDERTOW-1979"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221201-0004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Undertow vulnerable to Denial of Service (DoS) attacks"
}

GHSA-33R4-HMP8-J73X

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2023-12-12 21:31
VLAI
Details

Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. The application on the surveillance station operates in kiosk mode, which is vulnerable to local breakouts that could allow an attacker with physical access to escape the restricted environment with limited privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16212"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-11T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. The application on the surveillance station operates in kiosk mode, which is vulnerable to local breakouts that could allow an attacker with physical access to escape the restricted environment with limited privileges.",
  "id": "GHSA-33r4-hmp8-j73x",
  "modified": "2023-12-12T21:31:06Z",
  "published": "2022-05-24T17:28:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16212"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01"
    },
    {
      "type": "WEB",
      "url": "https://www.philips.com/productsecurity"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-342R-V98V-XJFV

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-10-25 19:00
VLAI
Details

A pendingIntent hijacking vulnerability in Secure Folder prior to SMR APR-2021 Release 1 allows unprivileged applications to access contact information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25364"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-09T18:15:00Z",
    "severity": "LOW"
  },
  "details": "A pendingIntent hijacking vulnerability in Secure Folder prior to SMR APR-2021 Release 1 allows unprivileged applications to access contact information.",
  "id": "GHSA-342r-v98v-xjfv",
  "modified": "2022-10-25T19:00:23Z",
  "published": "2022-05-24T17:46:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25364"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-34VX-3926-GFG8

Vulnerability from github – Published: 2022-01-12 00:01 – Updated: 2023-08-08 15:31
VLAI
Details

IBM Engineering Workflow Management 7.0, 7.0.1, and 7.0.2 as well as IBM Rational Team Concert 6.0.6 and 6.0.6.1 could allow an authneticated attacker to obtain sensitive information from build definitions that could aid in further attacks against the system. IBM X-Force ID: 200657.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-29701"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-11T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Engineering Workflow Management 7.0, 7.0.1, and 7.0.2 as well as IBM Rational Team Concert 6.0.6 and 6.0.6.1 could allow an authneticated attacker to obtain sensitive information from build definitions that could aid in further attacks against the system. IBM X-Force ID: 200657.",
  "id": "GHSA-34vx-3926-gfg8",
  "modified": "2023-08-08T15:31:31Z",
  "published": "2022-01-12T00:01:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29701"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/200657"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6539546"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.