CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1248 vulnerabilities reference this CWE, most recent first.
GHSA-55F6-4GR7-2WW5
Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2022-04-20 00:00A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.27), Mendix Applications using Mendix 8 (All versions < V8.18.14), Mendix Applications using Mendix 9 (All versions < V9.12.0), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.3). When querying the database, it is possible to sort the results using a protected field. With this an authenticated attacker could extract information about the contents of a protected field.
{
"affected": [],
"aliases": [
"CVE-2022-25650"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-12T09:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions \u003c V7.23.27), Mendix Applications using Mendix 8 (All versions \u003c V8.18.14), Mendix Applications using Mendix 9 (All versions \u003c V9.12.0), Mendix Applications using Mendix 9 (V9.6) (All versions \u003c V9.6.3). When querying the database, it is possible to sort the results using a protected field. With this an authenticated attacker could extract information about the contents of a protected field.",
"id": "GHSA-55f6-4gr7-2ww5",
"modified": "2022-04-20T00:00:54Z",
"published": "2022-04-13T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25650"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-870917.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-562R-VG33-8X8H
Vulnerability from github – Published: 2022-11-23 22:17 – Updated: 2025-11-04 16:39Vulnerability
PreparedStatement.setText(int, InputStream)
and
PreparedStatemet.setBytea(int, InputStream)
will create a temporary file if the InputStream is larger than 51k
Example of vulnerable code:
String s = "some very large string greater than 51200 bytes";
PreparedStatement.setInputStream(1, new ByteArrayInputStream(s.getBytes()) );
This will create a temporary file which is readable by other users on Unix like systems, but not MacOS.
Impact On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.
This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability.
When analyzing the impact of this vulnerability, here are the important questions to ask:
Is the driver running in an environment where the OS has other untrusted users. If yes, and you answered 'yes' to question 1, this vulnerability impacts you. If no, this vulnerability does not impact you. Patches Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using.
Java 1.8 and higher users: this vulnerability is fixed in 42.2.27, 42.3.8, 42.4.3, 42.5.1 Java 1.7 users: this vulnerability is fixed in 42.2.27.jre7 Java 1.6 and lower users: no patch is available; you must use the workaround below. Workarounds If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability.
References CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Fix commit https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Similar Vulnerabilities Google Guava - https://github.com/google/guava/issues/4011 Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.postgresql:postgresql"
},
"ranges": [
{
"events": [
{
"introduced": "42.2.0"
},
{
"fixed": "42.2.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.postgresql:postgresql"
},
"ranges": [
{
"events": [
{
"introduced": "42.3.0"
},
{
"fixed": "42.3.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.postgresql:postgresql"
},
"ranges": [
{
"events": [
{
"introduced": "42.4.0"
},
{
"fixed": "42.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.postgresql:postgresql"
},
"ranges": [
{
"events": [
{
"introduced": "42.5.0"
},
{
"fixed": "42.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41946"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-23T22:17:25Z",
"nvd_published_at": "2022-11-23T20:15:00Z",
"severity": "MODERATE"
},
"details": "**Vulnerability**\n\n`PreparedStatement.setText(int, InputStream)`\nand\n\n`PreparedStatemet.setBytea(int, InputStream)`\n\nwill create a temporary file if the InputStream is larger than 51k\n\n \nExample of vulnerable code:\n\n```java\nString s = \"some very large string greater than 51200 bytes\";\n\nPreparedStatement.setInputStream(1, new ByteArrayInputStream(s.getBytes()) );\n```\nThis will create a temporary file which is readable by other users on Unix like systems, but not MacOS.\n\nImpact\nOn Unix like systems, the system\u0027s temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.\n\nThis vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability.\n\nWhen analyzing the impact of this vulnerability, here are the important questions to ask:\n\nIs the driver running in an environment where the OS has other untrusted users.\nIf yes, and you answered \u0027yes\u0027 to question 1, this vulnerability impacts you.\nIf no, this vulnerability does not impact you.\nPatches\nBecause certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using.\n\nJava 1.8 and higher users: this vulnerability is fixed in 42.2.27, 42.3.8, 42.4.3, 42.5.1\nJava 1.7 users: this vulnerability is fixed in 42.2.27.jre7\nJava 1.6 and lower users: no patch is available; you must use the workaround below.\nWorkarounds\nIf you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability.\n\nReferences\n[CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html)\nFix commit https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5\nSimilar Vulnerabilities\nGoogle Guava - https://github.com/google/guava/issues/4011\nApache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\nJetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824",
"id": "GHSA-562r-vg33-8x8h",
"modified": "2025-11-04T16:39:34Z",
"published": "2022-11-23T22:17:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41946"
},
{
"type": "WEB",
"url": "https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5"
},
{
"type": "PACKAGE",
"url": "https://github.com/pgjdbc/pgjdbc"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240329-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "TemporaryFolder on unix-like systems does not limit access to created files"
}
GHSA-566V-P4RC-C936
Vulnerability from github – Published: 2021-12-04 00:00 – Updated: 2022-07-13 00:01IBM Cognos Analytics 11.1.7 and 11.2.0 could allow a low level user to reas of the application that privileged user should only be allowed to view. IBM X-Force ID: 201087.
{
"affected": [],
"aliases": [
"CVE-2021-29716"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-03T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Cognos Analytics 11.1.7 and 11.2.0 could allow a low level user to reas of the application that privileged user should only be allowed to view. IBM X-Force ID: 201087.",
"id": "GHSA-566v-p4rc-c936",
"modified": "2022-07-13T00:01:17Z",
"published": "2021-12-04T00:00:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29716"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/201087"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211223-0006"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6520510"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-56PC-6JQP-XQJ8
Vulnerability from github – Published: 2020-10-06 17:46 – Updated: 2021-01-07 22:51Impact
Apps using both contextIsolation and sandbox: true are affected.
Apps using both contextIsolation and nativeWindowOpen: true are affected.
This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
11.0.0-beta.610.1.29.3.18.5.2
For more information
If you have any questions or comments about this advisory: * Email us at security@electronjs.org
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0-beta.0"
},
{
"fixed": "8.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0-beta.0"
},
{
"fixed": "9.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0-beta.0"
},
{
"fixed": "10.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.0.0-beta.5"
},
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-beta.0"
},
{
"fixed": "11.0.0-beta.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-15215"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2020-10-06T17:46:06Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\nApps using both `contextIsolation` and `sandbox: true` are affected.\nApps using both `contextIsolation` and `nativeWindowOpen: true` are affected.\n\nThis is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.\n\n### Workarounds\nThere are no app-side workarounds, you must update your Electron version to be protected.\n\n### Fixed Versions\n* `11.0.0-beta.6`\n* `10.1.2`\n* `9.3.1`\n* `8.5.2`\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [security@electronjs.org](mailto:security@electronjs.org)",
"id": "GHSA-56pc-6jqp-xqj8",
"modified": "2021-01-07T22:51:36Z",
"published": "2020-10-06T17:46:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/electron/electron/security/advisories/GHSA-56pc-6jqp-xqj8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15215"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Context isolation bypass in Electron"
}
GHSA-575C-C64W-3Q6W
Vulnerability from github – Published: 2022-08-02 00:00 – Updated: 2022-08-06 00:00IBM UrbanCode Deploy (UCD) 6.2.0.0 through 6.2.7.16, 7.0.0.0 through 7.0.5.11, 7.1.0.0 through 7.1.2.7, and 7.2.0.0 through 7.2.3.0 could allow an authenticated user to obtain sensitive information in some instances due to improper security checking. IBM X-Force ID: 231360.
{
"affected": [],
"aliases": [
"CVE-2022-35716"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-01T11:15:00Z",
"severity": "MODERATE"
},
"details": "IBM UrbanCode Deploy (UCD) 6.2.0.0 through 6.2.7.16, 7.0.0.0 through 7.0.5.11, 7.1.0.0 through 7.1.2.7, and 7.2.0.0 through 7.2.3.0 could allow an authenticated user to obtain sensitive information in some instances due to improper security checking. IBM X-Force ID: 231360.",
"id": "GHSA-575c-c64w-3q6w",
"modified": "2022-08-06T00:00:54Z",
"published": "2022-08-02T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35716"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/231360"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6608584"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-57M7-2G72-PV8M
Vulnerability from github – Published: 2022-03-02 00:00 – Updated: 2022-03-17 00:04A improper input validation in Fortinet FortiGate version 6.4.3 and below, version 6.2.5 and below, version 6.0.11 and below, version 5.6.13 and below allows attacker to disclose sensitive information via SNI Client Hello TLS packets.
{
"affected": [],
"aliases": [
"CVE-2020-15936"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-01T19:15:00Z",
"severity": "MODERATE"
},
"details": "A improper input validation in Fortinet FortiGate version 6.4.3 and below, version 6.2.5 and below, version 6.0.11 and below, version 5.6.13 and below allows attacker to disclose sensitive information via SNI Client Hello TLS packets.",
"id": "GHSA-57m7-2g72-pv8m",
"modified": "2022-03-17T00:04:26Z",
"published": "2022-03-02T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15936"
},
{
"type": "WEB",
"url": "https://fortiguard.com/advisory/FG-IR-20-091"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-57RW-93XC-4HPV
Vulnerability from github – Published: 2022-12-20 21:30 – Updated: 2022-12-20 21:30In multiple locations of WifiDialogActivity.java, there is a possible limited lockscreen bypass due to a logic error in the code. This could lead to local escalation of privilege in wifi settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-231583603
{
"affected": [],
"aliases": [
"CVE-2022-20529"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-16T16:15:00Z",
"severity": "LOW"
},
"details": "In multiple locations of WifiDialogActivity.java, there is a possible limited lockscreen bypass due to a logic error in the code. This could lead to local escalation of privilege in wifi settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-231583603",
"id": "GHSA-57rw-93xc-4hpv",
"modified": "2022-12-20T21:30:19Z",
"published": "2022-12-20T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20529"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2022-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5875-P652-2PPM
Vulnerability from github – Published: 2022-02-27 00:00 – Updated: 2023-08-03 17:34Exposure of Resource to Wrong Sphere in microweber prior to 1.3 allows users to add deleted products to a cart and buy it.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "microweber/microweber"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0762"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-01T21:09:05Z",
"nvd_published_at": "2022-02-26T10:15:00Z",
"severity": "MODERATE"
},
"details": "Exposure of Resource to Wrong Sphere in microweber prior to 1.3 allows users to add deleted products to a cart and buy it.",
"id": "GHSA-5875-p652-2ppm",
"modified": "2023-08-03T17:34:37Z",
"published": "2022-02-27T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0762"
},
{
"type": "WEB",
"url": "https://github.com/microweber/microweber/commit/76361264d9fdfff38a1af79c63141455cc4d36e3"
},
{
"type": "PACKAGE",
"url": "https://github.com/microweber/microweber"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/125b5244-5099-485e-bf75-e5f1ed80dd48"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Exposure of Resource to Wrong Sphere in microweber"
}
GHSA-58FX-7V9Q-3G56
Vulnerability from github – Published: 2025-01-28 18:31 – Updated: 2025-12-16 20:01A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/redhat-developer/gitops-operator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-13484"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-28T20:40:01Z",
"nvd_published_at": "2025-01-28T18:15:32Z",
"severity": "HIGH"
},
"details": "A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.",
"id": "GHSA-58fx-7v9q-3g56",
"modified": "2025-12-16T20:01:25Z",
"published": "2025-01-28T18:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13484"
},
{
"type": "WEB",
"url": "https://github.com/redhat-developer/gitops-operator/pull/853"
},
{
"type": "WEB",
"url": "https://github.com/redhat-developer/gitops-operator/pull/869"
},
{
"type": "WEB",
"url": "https://github.com/redhat-developer/gitops-operator/pull/897"
},
{
"type": "WEB",
"url": "https://github.com/redhat-developer/gitops-operator/commit/bc6ac3e03d7c8b3db5d8f1770c868396a4c2dcef"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:7753"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:8274"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-13484"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269376"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-cd"
},
{
"type": "WEB",
"url": "https://issues.redhat.com/browse/GITOPS-7037"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3427"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenShift GitOps Operator Namespace Isolation Break"
}
GHSA-596G-9FV7-MQ62
Vulnerability from github – Published: 2026-05-11 18:31 – Updated: 2026-05-14 00:31Vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files includes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php.
This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
{
"affected": [],
"aliases": [
"CVE-2026-34095"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-11T18:16:32Z",
"severity": "LOW"
},
"details": "Vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.",
"id": "GHSA-596g-9fv7-mq62",
"modified": "2026-05-14T00:31:56Z",
"published": "2026-05-11T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34095"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T419192"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.