Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1248 vulnerabilities reference this CWE, most recent first.

GHSA-45X9-627R-26HH

Vulnerability from github – Published: 2024-02-06 00:30 – Updated: 2026-04-08 18:32
VLAI
Details

The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.7.4 via the 'ma_debu' parameter. This makes it possible for unauthenticated attackers to extract sensitive data including post author emails and names if applicable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-7014"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-05T22:15:58Z",
    "severity": "MODERATE"
  },
  "details": "The Author Box, Guest Author and Co-Authors for Your Posts \u2013 Molongui plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.7.4 via the \u0027ma_debu\u0027 parameter. This makes it possible for unauthenticated attackers to extract sensitive data including post author emails and names if applicable.",
  "id": "GHSA-45x9-627r-26hh",
  "modified": "2026-04-08T18:32:32Z",
  "published": "2024-02-06T00:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7014"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3019084"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/538e9ce3-2d48-44ad-bd08-8eead3ef15c3?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4643-MH94-6WJJ

Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-07-13 00:01
VLAI
Details

An access issue was addressed with improved access restrictions. This issue is fixed in macOS Big Sur 11.4, Security Update 2021-003 Catalina. A malicious application may be able to access a user's call history.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30673"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-08T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An access issue was addressed with improved access restrictions. This issue is fixed in macOS Big Sur 11.4, Security Update 2021-003 Catalina. A malicious application may be able to access a user\u0027s call history.",
  "id": "GHSA-4643-mh94-6wjj",
  "modified": "2022-07-13T00:01:24Z",
  "published": "2022-05-24T19:13:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30673"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT212529"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT212530"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4687-M9RR-F6P3

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2022-05-24 16:48
VLAI
Details

HHVM, when used with FastCGI, would bind by default to all available interfaces. This behavior could allow a malicious individual unintended direct access to the application, which could result in information disclosure. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-3569"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-26T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "HHVM, when used with FastCGI, would bind by default to all available interfaces. This behavior could allow a malicious individual unintended direct access to the application, which could result in information disclosure. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series.",
  "id": "GHSA-4687-m9rr-f6p3",
  "modified": "2022-05-24T16:48:43Z",
  "published": "2022-05-24T16:48:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3569"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/hhvm/commit/97ef580ec2cca9a54da6f9bd9fdd9a455f6d74ed"
    },
    {
      "type": "WEB",
      "url": "https://hhvm.com/blog/2019/06/10/hhvm-4.9.0.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-46P2-HFF5-P9CV

Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI
Details

This vulnerability allows remote attackers to execute code by creating arbitrary files on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the org.apache.jsp.u.jsp._3d.add_005f3d_005fview_005fdo_jsp servlet, which listens on TCP port 8081 by default. When parsing the filename parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code under the context of Administrator. Was ZDI-CAN-5197.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-16606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-23T01:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute code by creating arbitrary files on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the org.apache.jsp.u.jsp._3d.add_005f3d_005fview_005fdo_jsp servlet, which listens on TCP port 8081 by default. When parsing the filename parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code under the context of Administrator. Was ZDI-CAN-5197.",
  "id": "GHSA-46p2-hff5-p9cv",
  "modified": "2022-05-13T01:37:23Z",
  "published": "2022-05-13T01:37:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16606"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-17-971"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-47GR-XFF6-MQ74

Vulnerability from github – Published: 2025-06-27 18:30 – Updated: 2025-07-02 15:30
VLAI
Details

Software installed and running inside a Guest VM may override Firmware's state and gain access to the GPU.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46707"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-27T17:15:33Z",
    "severity": "MODERATE"
  },
  "details": "Software installed and running inside a Guest VM may override Firmware\u0027s state and gain access to the GPU.",
  "id": "GHSA-47gr-xff6-mq74",
  "modified": "2025-07-02T15:30:35Z",
  "published": "2025-06-27T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46707"
    },
    {
      "type": "WEB",
      "url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-47P2-P2P7-C22C

Vulnerability from github – Published: 2023-12-12 09:30 – Updated: 2023-12-12 09:30
VLAI
Details

An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It permits an authenticated user to use DBMS_PROFILER to remove all accumulated profiling data on a system-wide basis, regardless of that user's permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41120"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-12T07:15:45Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It permits an authenticated user to use DBMS_PROFILER to remove all accumulated profiling data on a system-wide basis, regardless of that user\u0027s permissions.",
  "id": "GHSA-47p2-p2p7-c22c",
  "modified": "2023-12-12T09:30:32Z",
  "published": "2023-12-12T09:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41120"
    },
    {
      "type": "WEB",
      "url": "https://www.enterprisedb.com/docs/security/advisories/cve202341120"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-47R2-GQX8-P99J

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24511"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-09T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.",
  "id": "GHSA-47r2-gqx8-p99j",
  "modified": "2022-05-24T19:04:29Z",
  "published": "2022-05-24T19:04:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24511"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-309571.pdf"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210611-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4934"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-47WV-VHJ2-G66M

Vulnerability from github – Published: 2022-03-29 19:18 – Updated: 2024-09-20 21:30
VLAI
Summary
Use of insecure temporary file in Horovod
Details

Impact

The insecure tempfile.mktemp() is used when Horovod is run in an LSF job with jsrun. In that situation, a jsrun rank file is created with mktemp, which could be hijacked by another process to read or manipulate the content.

This issue does not impact the use of MPI, Gloo, Spark or Ray.

Patches

The problem has been fixed in b96ecae4.

Workarounds

The rank file is not created when binding_args are provided in the Settings instance.

References

Please see https://github.com/horovod/horovod/pull/3358 for details.

For more information

If you have any questions or comments about this advisory: * Open an issue in https://github.com/horovod/horovod

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "horovod"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-29T19:18:32Z",
    "nvd_published_at": "2022-03-24T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe insecure `tempfile.mktemp()` is used when Horovod is run in an LSF job with `jsrun`. In that situation, a jsrun rank file is created with `mktemp`, which could be hijacked by another process to read or manipulate the content.\n\nThis issue does not impact the use of MPI, Gloo, Spark or Ray.\n\n### Patches\nThe problem has been fixed in [b96ecae4](https://github.com/horovod/horovod/commit/b96ecae4dc69fc0a83c7c2d3f1dde600c20a1b41).\n\n### Workarounds\nThe rank file is not created when `binding_args` are provided in the `Settings` instance.\n\n### References\nPlease see https://github.com/horovod/horovod/pull/3358 for details.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [https://github.com/horovod/horovod](https://github.com/horovod/horovod/issues/new/choose)",
  "id": "GHSA-47wv-vhj2-g66m",
  "modified": "2024-09-20T21:30:25Z",
  "published": "2022-03-29T19:18:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/horovod/horovod/security/advisories/GHSA-47wv-vhj2-g66m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0315"
    },
    {
      "type": "WEB",
      "url": "https://github.com/horovod/horovod/pull/3358"
    },
    {
      "type": "WEB",
      "url": "https://github.com/horovod/horovod/commit/b96ecae4dc69fc0a83c7c2d3f1dde600c20a1b41"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-47wv-vhj2-g66m"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/horovod/horovod"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/horovod/PYSEC-2022-175.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/7e50397b-dd63-4bb5-b56d-704094a7da45"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Use of insecure temporary file in Horovod"
}

GHSA-4857-4Q6J-XXX3

Vulnerability from github – Published: 2022-09-21 00:00 – Updated: 2022-09-23 00:00
VLAI
Details

Protection mechanism failure in firmware for some Intel(R) SSD DC Products may allow a privileged user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33081"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668",
      "CWE-693"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-20T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Protection mechanism failure in firmware for some Intel(R) SSD DC Products may allow a privileged user to potentially enable information disclosure via local access.",
  "id": "GHSA-4857-4q6j-xxx3",
  "modified": "2022-09-23T00:00:33Z",
  "published": "2022-09-21T00:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33081"
    },
    {
      "type": "WEB",
      "url": "https://www.solidigm.com/content/dam/newco-aem-site/master/site/support/Solidigm%20SA-000563%20rev1.1.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-48P4-VVX3-R759

Vulnerability from github – Published: 2022-06-21 00:00 – Updated: 2022-06-29 00:00
VLAI
Details

IBM Robotic Process Automation 21.0.2 could allow a local user to obtain sensitive web service configuration credentials from system memory. IBM X-Force ID: 223026.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22414"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-20T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Robotic Process Automation 21.0.2 could allow a local user to obtain sensitive web service configuration credentials from system memory. IBM X-Force ID: 223026.",
  "id": "GHSA-48p4-vvx3-r759",
  "modified": "2022-06-29T00:00:57Z",
  "published": "2022-06-21T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22414"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/223026"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6596071"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.