CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1248 vulnerabilities reference this CWE, most recent first.
GHSA-4QPV-RCPM-MQXR
Vulnerability from github – Published: 2022-07-13 00:00 – Updated: 2022-07-13 00:00Windows Network File System Information Disclosure Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-22028"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-12T23:15:00Z",
"severity": "MODERATE"
},
"details": "Windows Network File System Information Disclosure Vulnerability.",
"id": "GHSA-4qpv-rcpm-mqxr",
"modified": "2022-07-13T00:00:40Z",
"published": "2022-07-13T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22028"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22028"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22028"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4RF4-CV9G-449X
Vulnerability from github – Published: 2021-12-16 00:02 – Updated: 2022-05-24 00:00Microsoft Message Queuing Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-43236.
{
"affected": [],
"aliases": [
"CVE-2021-43222"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T15:15:00Z",
"severity": "HIGH"
},
"details": "Microsoft Message Queuing Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-43236.",
"id": "GHSA-4rf4-cv9g-449x",
"modified": "2022-05-24T00:00:47Z",
"published": "2021-12-16T00:02:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43222"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43222"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4RX2-JPV5-VJJG
Vulnerability from github – Published: 2022-04-29 02:59 – Updated: 2025-04-03 04:03Opera 7.54 and earlier does not properly limit an applet's access to internal Java packages from Sun, which allows remote attackers to gain sensitive information, such as user names and the installation directory.
{
"affected": [],
"aliases": [
"CVE-2004-1489"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2004-12-31T05:00:00Z",
"severity": "LOW"
},
"details": "Opera 7.54 and earlier does not properly limit an applet\u0027s access to internal Java packages from Sun, which allows remote attackers to gain sensitive information, such as user names and the installation directory.",
"id": "GHSA-4rx2-jpv5-vjjg",
"modified": "2025-04-03T04:03:29Z",
"published": "2022-04-29T02:59:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2004-1489"
},
{
"type": "WEB",
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2004-November/029044.html"
},
{
"type": "WEB",
"url": "http://www.gentoo.org/security/en/glsa/glsa-200502-17.xml"
},
{
"type": "WEB",
"url": "http://www.opera.com/linux/changelogs/754u1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4V8X-G9MF-87FR
Vulnerability from github – Published: 2023-02-14 21:30 – Updated: 2023-02-14 21:30Microsoft Office Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-21714"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-14T20:15:00Z",
"severity": "MODERATE"
},
"details": "Microsoft Office Information Disclosure Vulnerability",
"id": "GHSA-4v8x-g9mf-87fr",
"modified": "2023-02-14T21:30:29Z",
"published": "2023-02-14T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21714"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21714"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4VRW-QVG8-27QC
Vulnerability from github – Published: 2021-12-17 00:00 – Updated: 2023-08-08 15:31An issue was discovered in HTCondor before 8.8.15, 9.0.x before 9.0.4, and 9.1.x before 9.1.2. Using standard command-line tools, a user with only READ access to an HTCondor SchedD or Collector daemon can discover secrets that could allow them to control other users' jobs and/or read their data.
{
"affected": [],
"aliases": [
"CVE-2021-45101"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-16T05:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in HTCondor before 8.8.15, 9.0.x before 9.0.4, and 9.1.x before 9.1.2. Using standard command-line tools, a user with only READ access to an HTCondor SchedD or Collector daemon can discover secrets that could allow them to control other users\u0027 jobs and/or read their data.",
"id": "GHSA-4vrw-qvg8-27qc",
"modified": "2023-08-08T15:31:25Z",
"published": "2021-12-17T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45101"
},
{
"type": "WEB",
"url": "https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2021-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4W86-WMPG-XC6M
Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2022-05-13 01:48An issue was discovered in KTextEditor 5.34.0 through 5.45.0. Insecure handling of temporary files in the KTextEditor's kauth_ktexteditor_helper service (as utilized in the Kate text editor) can allow other unprivileged users on the local system to gain root privileges. The attack occurs when one user (who has an unprivileged account but is also able to authenticate as root) writes a text file using Kate into a directory owned by a another unprivileged user. The latter unprivileged user conducts a symlink attack to achieve privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2018-10361"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-25T05:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in KTextEditor 5.34.0 through 5.45.0. Insecure handling of temporary files in the KTextEditor\u0027s kauth_ktexteditor_helper service (as utilized in the Kate text editor) can allow other unprivileged users on the local system to gain root privileges. The attack occurs when one user (who has an unprivileged account but is also able to authenticate as root) writes a text file using Kate into a directory owned by a another unprivileged user. The latter unprivileged user conducts a symlink attack to achieve privilege escalation.",
"id": "GHSA-4w86-wmpg-xc6m",
"modified": "2022-05-13T01:48:46Z",
"published": "2022-05-13T01:48:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10361"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1033055"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2018/04/24/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/07/09/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4W9H-XCP4-6V33
Vulnerability from github – Published: 2023-09-12 18:30 – Updated: 2025-10-22 00:32Microsoft Word Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-36761"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-12T17:15:11Z",
"severity": "MODERATE"
},
"details": "Microsoft Word Information Disclosure Vulnerability",
"id": "GHSA-4w9h-xcp4-6v33",
"modified": "2025-10-22T00:32:50Z",
"published": "2023-09-12T18:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36761"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36761"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-36761"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4WH7-MQ9J-WHXW
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-07-13 00:01NVIDIA GeForce Experience, all versions prior to 3.23, contains a vulnerability where, if a user clicks on a maliciously formatted link that opens the GeForce Experience login page in a new browser tab instead of the GeForce Experience application and enters their login information, the malicious site can get access to the token of the user login session. Such an attack may lead to these targeted users' data being accessed, altered, or lost.
{
"affected": [],
"aliases": [
"CVE-2021-1073"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-25T20:15:00Z",
"severity": "HIGH"
},
"details": "NVIDIA GeForce Experience, all versions prior to 3.23, contains a vulnerability where, if a user clicks on a maliciously formatted link that opens the GeForce Experience login page in a new browser tab instead of the GeForce Experience application and enters their login information, the malicious site can get access to the token of the user login session. Such an attack may lead to these targeted users\u0027 data being accessed, altered, or lost.",
"id": "GHSA-4wh7-mq9j-whxw",
"modified": "2022-07-13T00:01:00Z",
"published": "2022-05-24T19:06:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1073"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5199"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4WM5-QF3G-46H5
Vulnerability from github – Published: 2023-10-10 18:31 – Updated: 2024-04-04 08:30Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-36429"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-10T18:15:12Z",
"severity": "MODERATE"
},
"details": "Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability",
"id": "GHSA-4wm5-qf3g-46h5",
"modified": "2024-04-04T08:30:36Z",
"published": "2023-10-10T18:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36429"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36429"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4X6V-RWH4-55JW
Vulnerability from github – Published: 2019-12-02 18:16 – Updated: 2023-09-08 19:57Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious attacker can manipulate internal attributes by adding additional attributes to user input.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "pomelo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-18954"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2019-12-02T01:20:21Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in `template/game-server/app/servers/connector/handler/entryHandler.js` because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious attacker can manipulate internal attributes by adding additional attributes to user input.",
"id": "GHSA-4x6v-rwh4-55jw",
"modified": "2023-09-08T19:57:36Z",
"published": "2019-12-02T18:16:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18954"
},
{
"type": "WEB",
"url": "https://github.com/NetEase/pomelo/issues/1149"
},
{
"type": "WEB",
"url": "https://github.com/cl0udz/vulnerabilities/tree/master/pomelo-critical-state-manipulation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Pomelo allows external control of critical state data"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.