CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1248 vulnerabilities reference this CWE, most recent first.
GHSA-2W7Q-MJ4W-9CM2
Vulnerability from github – Published: 2024-01-12 15:30 – Updated: 2024-01-12 15:30An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group.
{
"affected": [],
"aliases": [
"CVE-2023-6955"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-668",
"CWE-862",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-12T14:15:49Z",
"severity": "MODERATE"
},
"details": "An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group. ",
"id": "GHSA-2w7q-mj4w-9cm2",
"modified": "2024-01-12T15:30:32Z",
"published": "2024-01-12T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6955"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/432188"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2WQ3-R2PM-PWFM
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-07-13 00:01Inappropriate implementation in Navigation in Google Chrome prior to 93.0.4577.63 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-30615"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-03T20:15:00Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in Navigation in Google Chrome prior to 93.0.4577.63 allowed a remote attacker to leak cross-origin data via a crafted HTML page.",
"id": "GHSA-2wq3-r2pm-pwfm",
"modified": "2022-07-13T00:01:23Z",
"published": "2022-05-24T19:12:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30615"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/08/stable-channel-update-for-desktop_31.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1208614"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LVY4WIWTVVYKQMROJJS365TZBKEARCF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJPUSAWIJMQFBQQQYXAICLI4EKFQOH6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QW4R2K5HVJ4R6XDZYOJCCFPIN2XHNS3L"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30615"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2WR2-8QJQ-GH55
Vulnerability from github – Published: 2021-12-16 15:27 – Updated: 2021-12-06 21:35Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.craftercms:crafter-search"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23264"
],
"database_specific": {
"cwe_ids": [
"CWE-402",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2021-12-06T21:35:33Z",
"nvd_published_at": "2021-12-02T16:15:00Z",
"severity": "CRITICAL"
},
"details": "Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.",
"id": "GHSA-2wr2-8qjq-gh55",
"modified": "2021-12-06T21:35:33Z",
"published": "2021-12-16T15:27:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23264"
},
{
"type": "WEB",
"url": "https://github.com/craftercms/craftercms/commit/0e256ef0372c7be9d6e2fefc4652dd4fd94770a1"
},
{
"type": "WEB",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120107"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Exposure of Resource to Wrong Sphere in org.craftercms:crafter-search"
}
GHSA-2XGX-58X8-9QQR
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-07-13 00:01The issue was addressed with improved permissions logic. This issue is fixed in iOS 15 and iPadOS 15. An attacker with physical access to a device may be able to see private contact information.
{
"affected": [],
"aliases": [
"CVE-2021-30816"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-28T19:15:00Z",
"severity": "LOW"
},
"details": "The issue was addressed with improved permissions logic. This issue is fixed in iOS 15 and iPadOS 15. An attacker with physical access to a device may be able to see private contact information.",
"id": "GHSA-2xgx-58x8-9qqr",
"modified": "2022-07-13T00:01:24Z",
"published": "2022-05-24T19:19:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30816"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212814"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2XWP-3V4P-X875
Vulnerability from github – Published: 2023-01-18 12:30 – Updated: 2023-01-26 18:30Dell command configuration, version 4.8 and prior, contains improper folder permission when installed not to default path but to non-secured path which leads to privilege escalation. This is critical severity vulnerability as it allows non-admin to modify the files inside installed directory and able to make application unavailable for all users.
{
"affected": [],
"aliases": [
"CVE-2022-34457"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-668",
"CWE-732"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-18T12:15:00Z",
"severity": "HIGH"
},
"details": "Dell command configuration, version 4.8 and prior, contains improper folder permission when installed not to default path but to non-secured path which leads to privilege escalation. This is critical severity vulnerability as it allows non-admin to modify the files inside installed directory and able to make application unavailable for all users.",
"id": "GHSA-2xwp-3v4p-x875",
"modified": "2023-01-26T18:30:48Z",
"published": "2023-01-18T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34457"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000205633"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-32P7-7Q74-W9JV
Vulnerability from github – Published: 2023-03-16 15:30 – Updated: 2023-03-24 15:30An issue found in DepositGame v.1.0 allows an attacker to gain sensitive information via the GetBonusWithdraw and withdraw functions.
{
"affected": [],
"aliases": [
"CVE-2020-22647"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-16T15:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue found in DepositGame v.1.0 allows an attacker to gain sensitive information via the GetBonusWithdraw and withdraw functions.",
"id": "GHSA-32p7-7q74-w9jv",
"modified": "2023-03-24T15:30:20Z",
"published": "2023-03-16T15:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22647"
},
{
"type": "WEB",
"url": "https://github.com/Messi-Q/CVE-Application/blob/master/DepositGame-reentrancy/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-339Q-62WM-C39W
Vulnerability from github – Published: 2022-07-15 21:32 – Updated: 2022-09-08 14:24Undertow client side invocation timeout raised when calling over HTTP2, this vulnerability can allow attacker to carry out denial of service (DoS) attacks in versions less than 2.2.15 Final.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.undertow:undertow-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3859"
],
"database_specific": {
"cwe_ids": [
"CWE-214",
"CWE-400",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-15T21:32:13Z",
"nvd_published_at": "2022-08-26T16:15:00Z",
"severity": "HIGH"
},
"details": "Undertow client side invocation timeout raised when calling over HTTP2, this vulnerability can allow attacker to carry out denial of service (DoS) attacks in versions less than 2.2.15 Final.",
"id": "GHSA-339q-62wm-c39w",
"modified": "2022-09-08T14:24:12Z",
"published": "2022-07-15T21:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859"
},
{
"type": "WEB",
"url": "https://github.com/undertow-io/undertow/pull/1296"
},
{
"type": "WEB",
"url": "https://github.com/undertow-io/undertow/commit/db0f5be43f8e2a4b88fbedd2eb6d5a95a29ceaa8"
},
{
"type": "WEB",
"url": "https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2021-3859"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378"
},
{
"type": "PACKAGE",
"url": "https://github.com/undertow-io/undertow"
},
{
"type": "WEB",
"url": "https://issues.redhat.com/browse/UNDERTOW-1979"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20221201-0004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Undertow vulnerable to Denial of Service (DoS) attacks"
}
GHSA-33R4-HMP8-J73X
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2023-12-12 21:31Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. The application on the surveillance station operates in kiosk mode, which is vulnerable to local breakouts that could allow an attacker with physical access to escape the restricted environment with limited privileges.
{
"affected": [],
"aliases": [
"CVE-2020-16212"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-11T14:15:00Z",
"severity": "MODERATE"
},
"details": "Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. The application on the surveillance station operates in kiosk mode, which is vulnerable to local breakouts that could allow an attacker with physical access to escape the restricted environment with limited privileges.",
"id": "GHSA-33r4-hmp8-j73x",
"modified": "2023-12-12T21:31:06Z",
"published": "2022-05-24T17:28:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16212"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01"
},
{
"type": "WEB",
"url": "https://www.philips.com/productsecurity"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-342R-V98V-XJFV
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-10-25 19:00A pendingIntent hijacking vulnerability in Secure Folder prior to SMR APR-2021 Release 1 allows unprivileged applications to access contact information.
{
"affected": [],
"aliases": [
"CVE-2021-25364"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-09T18:15:00Z",
"severity": "LOW"
},
"details": "A pendingIntent hijacking vulnerability in Secure Folder prior to SMR APR-2021 Release 1 allows unprivileged applications to access contact information.",
"id": "GHSA-342r-v98v-xjfv",
"modified": "2022-10-25T19:00:23Z",
"published": "2022-05-24T17:46:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25364"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-34VX-3926-GFG8
Vulnerability from github – Published: 2022-01-12 00:01 – Updated: 2023-08-08 15:31IBM Engineering Workflow Management 7.0, 7.0.1, and 7.0.2 as well as IBM Rational Team Concert 6.0.6 and 6.0.6.1 could allow an authneticated attacker to obtain sensitive information from build definitions that could aid in further attacks against the system. IBM X-Force ID: 200657.
{
"affected": [],
"aliases": [
"CVE-2021-29701"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-11T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Engineering Workflow Management 7.0, 7.0.1, and 7.0.2 as well as IBM Rational Team Concert 6.0.6 and 6.0.6.1 could allow an authneticated attacker to obtain sensitive information from build definitions that could aid in further attacks against the system. IBM X-Force ID: 200657.",
"id": "GHSA-34vx-3926-gfg8",
"modified": "2023-08-08T15:31:31Z",
"published": "2022-01-12T00:01:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29701"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/200657"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6539546"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.