CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1248 vulnerabilities reference this CWE, most recent first.
GHSA-45X9-627R-26HH
Vulnerability from github – Published: 2024-02-06 00:30 – Updated: 2026-04-08 18:32The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.7.4 via the 'ma_debu' parameter. This makes it possible for unauthenticated attackers to extract sensitive data including post author emails and names if applicable.
{
"affected": [],
"aliases": [
"CVE-2023-7014"
],
"database_specific": {
"cwe_ids": [
"CWE-359",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-05T22:15:58Z",
"severity": "MODERATE"
},
"details": "The Author Box, Guest Author and Co-Authors for Your Posts \u2013 Molongui plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.7.4 via the \u0027ma_debu\u0027 parameter. This makes it possible for unauthenticated attackers to extract sensitive data including post author emails and names if applicable.",
"id": "GHSA-45x9-627r-26hh",
"modified": "2026-04-08T18:32:32Z",
"published": "2024-02-06T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7014"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3019084"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/538e9ce3-2d48-44ad-bd08-8eead3ef15c3?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4643-MH94-6WJJ
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-07-13 00:01An access issue was addressed with improved access restrictions. This issue is fixed in macOS Big Sur 11.4, Security Update 2021-003 Catalina. A malicious application may be able to access a user's call history.
{
"affected": [],
"aliases": [
"CVE-2021-30673"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-08T15:15:00Z",
"severity": "MODERATE"
},
"details": "An access issue was addressed with improved access restrictions. This issue is fixed in macOS Big Sur 11.4, Security Update 2021-003 Catalina. A malicious application may be able to access a user\u0027s call history.",
"id": "GHSA-4643-mh94-6wjj",
"modified": "2022-07-13T00:01:24Z",
"published": "2022-05-24T19:13:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30673"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212529"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212530"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4687-M9RR-F6P3
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2022-05-24 16:48HHVM, when used with FastCGI, would bind by default to all available interfaces. This behavior could allow a malicious individual unintended direct access to the application, which could result in information disclosure. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series.
{
"affected": [],
"aliases": [
"CVE-2019-3569"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-26T15:15:00Z",
"severity": "HIGH"
},
"details": "HHVM, when used with FastCGI, would bind by default to all available interfaces. This behavior could allow a malicious individual unintended direct access to the application, which could result in information disclosure. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series.",
"id": "GHSA-4687-m9rr-f6p3",
"modified": "2022-05-24T16:48:43Z",
"published": "2022-05-24T16:48:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3569"
},
{
"type": "WEB",
"url": "https://github.com/facebook/hhvm/commit/97ef580ec2cca9a54da6f9bd9fdd9a455f6d74ed"
},
{
"type": "WEB",
"url": "https://hhvm.com/blog/2019/06/10/hhvm-4.9.0.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-46P2-HFF5-P9CV
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37This vulnerability allows remote attackers to execute code by creating arbitrary files on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the org.apache.jsp.u.jsp._3d.add_005f3d_005fview_005fdo_jsp servlet, which listens on TCP port 8081 by default. When parsing the filename parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code under the context of Administrator. Was ZDI-CAN-5197.
{
"affected": [],
"aliases": [
"CVE-2017-16606"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-23T01:29:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute code by creating arbitrary files on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the org.apache.jsp.u.jsp._3d.add_005f3d_005fview_005fdo_jsp servlet, which listens on TCP port 8081 by default. When parsing the filename parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code under the context of Administrator. Was ZDI-CAN-5197.",
"id": "GHSA-46p2-hff5-p9cv",
"modified": "2022-05-13T01:37:23Z",
"published": "2022-05-13T01:37:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16606"
},
{
"type": "WEB",
"url": "https://zerodayinitiative.com/advisories/ZDI-17-971"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-47GR-XFF6-MQ74
Vulnerability from github – Published: 2025-06-27 18:30 – Updated: 2025-07-02 15:30Software installed and running inside a Guest VM may override Firmware's state and gain access to the GPU.
{
"affected": [],
"aliases": [
"CVE-2025-46707"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-27T17:15:33Z",
"severity": "MODERATE"
},
"details": "Software installed and running inside a Guest VM may override Firmware\u0027s state and gain access to the GPU.",
"id": "GHSA-47gr-xff6-mq74",
"modified": "2025-07-02T15:30:35Z",
"published": "2025-06-27T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46707"
},
{
"type": "WEB",
"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-47P2-P2P7-C22C
Vulnerability from github – Published: 2023-12-12 09:30 – Updated: 2023-12-12 09:30An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It permits an authenticated user to use DBMS_PROFILER to remove all accumulated profiling data on a system-wide basis, regardless of that user's permissions.
{
"affected": [],
"aliases": [
"CVE-2023-41120"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-12T07:15:45Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It permits an authenticated user to use DBMS_PROFILER to remove all accumulated profiling data on a system-wide basis, regardless of that user\u0027s permissions.",
"id": "GHSA-47p2-p2p7-c22c",
"modified": "2023-12-12T09:30:32Z",
"published": "2023-12-12T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41120"
},
{
"type": "WEB",
"url": "https://www.enterprisedb.com/docs/security/advisories/cve202341120"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-47R2-GQX8-P99J
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2020-24511"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-09T19:15:00Z",
"severity": "MODERATE"
},
"details": "Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.",
"id": "GHSA-47r2-gqx8-p99j",
"modified": "2022-05-24T19:04:29Z",
"published": "2022-05-24T19:04:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24511"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-309571.pdf"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00022.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210611-0005"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4934"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-47WV-VHJ2-G66M
Vulnerability from github – Published: 2022-03-29 19:18 – Updated: 2024-09-20 21:30Impact
The insecure tempfile.mktemp() is used when Horovod is run in an LSF job with jsrun. In that situation, a jsrun rank file is created with mktemp, which could be hijacked by another process to read or manipulate the content.
This issue does not impact the use of MPI, Gloo, Spark or Ray.
Patches
The problem has been fixed in b96ecae4.
Workarounds
The rank file is not created when binding_args are provided in the Settings instance.
References
Please see https://github.com/horovod/horovod/pull/3358 for details.
For more information
If you have any questions or comments about this advisory: * Open an issue in https://github.com/horovod/horovod
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "horovod"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0315"
],
"database_specific": {
"cwe_ids": [
"CWE-377",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-29T19:18:32Z",
"nvd_published_at": "2022-03-24T09:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThe insecure `tempfile.mktemp()` is used when Horovod is run in an LSF job with `jsrun`. In that situation, a jsrun rank file is created with `mktemp`, which could be hijacked by another process to read or manipulate the content.\n\nThis issue does not impact the use of MPI, Gloo, Spark or Ray.\n\n### Patches\nThe problem has been fixed in [b96ecae4](https://github.com/horovod/horovod/commit/b96ecae4dc69fc0a83c7c2d3f1dde600c20a1b41).\n\n### Workarounds\nThe rank file is not created when `binding_args` are provided in the `Settings` instance.\n\n### References\nPlease see https://github.com/horovod/horovod/pull/3358 for details.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [https://github.com/horovod/horovod](https://github.com/horovod/horovod/issues/new/choose)",
"id": "GHSA-47wv-vhj2-g66m",
"modified": "2024-09-20T21:30:25Z",
"published": "2022-03-29T19:18:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/horovod/horovod/security/advisories/GHSA-47wv-vhj2-g66m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0315"
},
{
"type": "WEB",
"url": "https://github.com/horovod/horovod/pull/3358"
},
{
"type": "WEB",
"url": "https://github.com/horovod/horovod/commit/b96ecae4dc69fc0a83c7c2d3f1dde600c20a1b41"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-47wv-vhj2-g66m"
},
{
"type": "PACKAGE",
"url": "https://github.com/horovod/horovod"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/horovod/PYSEC-2022-175.yaml"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/7e50397b-dd63-4bb5-b56d-704094a7da45"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Use of insecure temporary file in Horovod"
}
GHSA-4857-4Q6J-XXX3
Vulnerability from github – Published: 2022-09-21 00:00 – Updated: 2022-09-23 00:00Protection mechanism failure in firmware for some Intel(R) SSD DC Products may allow a privileged user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2021-33081"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-693"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-20T15:15:00Z",
"severity": "MODERATE"
},
"details": "Protection mechanism failure in firmware for some Intel(R) SSD DC Products may allow a privileged user to potentially enable information disclosure via local access.",
"id": "GHSA-4857-4q6j-xxx3",
"modified": "2022-09-23T00:00:33Z",
"published": "2022-09-21T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33081"
},
{
"type": "WEB",
"url": "https://www.solidigm.com/content/dam/newco-aem-site/master/site/support/Solidigm%20SA-000563%20rev1.1.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-48P4-VVX3-R759
Vulnerability from github – Published: 2022-06-21 00:00 – Updated: 2022-06-29 00:00IBM Robotic Process Automation 21.0.2 could allow a local user to obtain sensitive web service configuration credentials from system memory. IBM X-Force ID: 223026.
{
"affected": [],
"aliases": [
"CVE-2022-22414"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-20T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Robotic Process Automation 21.0.2 could allow a local user to obtain sensitive web service configuration credentials from system memory. IBM X-Force ID: 223026.",
"id": "GHSA-48p4-vvx3-r759",
"modified": "2022-06-29T00:00:57Z",
"published": "2022-06-21T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22414"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/223026"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6596071"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.