CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-5R2X-44QW-G2H7
Vulnerability from github – Published: 2023-11-23 15:30 – Updated: 2023-11-23 15:30Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pandora FMS on all allows File Discovery. This vulnerability allows users with low privileges to download database backups. This issue affects Pandora FMS: from 700 through 772.
{
"affected": [],
"aliases": [
"CVE-2023-41786"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-23T15:15:08Z",
"severity": "MODERATE"
},
"details": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pandora FMS on all allows File Discovery. This vulnerability allows users with low privileges to download database backups. This issue affects Pandora FMS: from 700 through 772.",
"id": "GHSA-5r2x-44qw-g2h7",
"modified": "2023-11-23T15:30:26Z",
"published": "2023-11-23T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41786"
},
{
"type": "WEB",
"url": "https://https://pandorafms.com/en/security/common-vulnerabilities-and-exposures"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5R3G-XH79-R442
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18The affected product is vulnerable to a disclosure of peer username and password by allowing all users access to read global variables.
{
"affected": [],
"aliases": [
"CVE-2021-42536"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-22T14:15:00Z",
"severity": "MODERATE"
},
"details": "The affected product is vulnerable to a disclosure of peer username and password by allowing all users access to read global variables.",
"id": "GHSA-5r3g-xh79-r442",
"modified": "2022-05-24T19:18:37Z",
"published": "2022-05-24T19:18:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42536"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5V9M-7339-P4XV
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-07-13 00:01Improper validation of kernel buffer address while copying information back to user buffer can lead to kernel memory information exposure to user space in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
{
"affected": [],
"aliases": [
"CVE-2021-1969"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-20T07:15:00Z",
"severity": "MODERATE"
},
"details": "Improper validation of kernel buffer address while copying information back to user buffer can lead to kernel memory information exposure to user space in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables",
"id": "GHSA-5v9m-7339-p4xv",
"modified": "2022-07-13T00:01:03Z",
"published": "2022-05-24T19:18:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1969"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/october-2021-bulletin"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/172856/Qualcomm-NPU-Use-After-Free-Information-Leak.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5VV2-X7QH-G29X
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-07-13 00:01A logic issue was addressed with improved state management. This issue is fixed in iOS 14.7, macOS Big Sur 11.5, watchOS 7.6. A malicious application may be able to bypass certain Privacy preferences.
{
"affected": [],
"aliases": [
"CVE-2021-30798"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-08T14:15:00Z",
"severity": "HIGH"
},
"details": "A logic issue was addressed with improved state management. This issue is fixed in iOS 14.7, macOS Big Sur 11.5, watchOS 7.6. A malicious application may be able to bypass certain Privacy preferences.",
"id": "GHSA-5vv2-x7qh-g29x",
"modified": "2022-07-13T00:01:24Z",
"published": "2022-05-24T19:13:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30798"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212601"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212602"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212605"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5VW4-V588-PGV8
Vulnerability from github – Published: 2022-12-28 00:30 – Updated: 2024-05-20 19:41Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/robbert229/jwt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20170426191122-ca1404ee6e83"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-10004"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T19:33:01Z",
"nvd_published_at": "2022-12-27T22:15:00Z",
"severity": "HIGH"
},
"details": "Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC.",
"id": "GHSA-5vw4-v588-pgv8",
"modified": "2024-05-20T19:41:55Z",
"published": "2022-12-28T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-10004"
},
{
"type": "WEB",
"url": "https://github.com/robbert229/jwt/issues/12"
},
{
"type": "WEB",
"url": "https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654"
},
{
"type": "PACKAGE",
"url": "https://github.com/robbert229/jwt"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2020-0023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "robbert229/jwt\u0027s token validation methods vulnerable to a timing side-channel during HMAC comparison"
}
GHSA-5VWC-R48G-WJ6C
Vulnerability from github – Published: 2022-01-06 22:08 – Updated: 2023-06-13 16:03An issue was discovered in the abomonation crate through version 0.7.3 for Rust. Because transmute operations are insufficiently constrained, there can be an information leak or ASLR bypass.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "abomonation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.7.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-45708"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-05T21:50:24Z",
"nvd_published_at": "2021-12-27T00:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the abomonation crate through version 0.7.3 for Rust. Because transmute operations are insufficiently constrained, there can be an information leak or ASLR bypass.",
"id": "GHSA-5vwc-r48g-wj6c",
"modified": "2023-06-13T16:03:48Z",
"published": "2022-01-06T22:08:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45708"
},
{
"type": "WEB",
"url": "https://github.com/TimelyDataflow/abomonation/issues/23"
},
{
"type": "PACKAGE",
"url": "https://github.com/TimelyDataflow/abomonation"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/abomonation/RUSTSEC-2021-0120.md"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0120.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Abomonation transmutes \u0026T to and from \u0026[u8] without sufficient constraints"
}
GHSA-5W35-CMJ6-VC9R
Vulnerability from github – Published: 2023-01-31 00:30 – Updated: 2023-02-07 03:30A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause all remote domains to access the resources (data) supplied by the server when an attacker sends a fetch request from third-party site or malicious site. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)
{
"affected": [],
"aliases": [
"CVE-2022-22732"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-30T23:15:00Z",
"severity": "HIGH"
},
"details": "A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause all remote domains to access the resources (data) supplied by the server when an attacker sends a fetch request from third-party site or malicious site. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)",
"id": "GHSA-5w35-cmj6-vc9r",
"modified": "2023-02-07T03:30:22Z",
"published": "2023-01-31T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22732"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5W3R-PRR4-7J25
Vulnerability from github – Published: 2026-03-29 15:30 – Updated: 2026-03-29 15:30OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in the gateway agent RPC that allows authenticated operators with operator.write permission to override workspace boundaries by supplying attacker-controlled spawnedBy and workspaceDir values. Remote operators can escape the configured workspace boundary and execute arbitrary file and exec operations from any process-accessible directory.
{
"affected": [],
"aliases": [
"CVE-2026-33573"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-29T13:17:02Z",
"severity": "HIGH"
},
"details": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in the gateway agent RPC that allows authenticated operators with operator.write permission to override workspace boundaries by supplying attacker-controlled spawnedBy and workspaceDir values. Remote operators can escape the configured workspace boundary and execute arbitrary file and exec operations from any process-accessible directory.",
"id": "GHSA-5w3r-prr4-7j25",
"modified": "2026-03-29T15:30:20Z",
"published": "2026-03-29T15:30:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2rqg-gjgv-84jm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33573"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-workspace-boundary-bypass-via-agent-rpc-parameters"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5XW5-83CP-4RJF
Vulnerability from github – Published: 2025-12-31 00:31 – Updated: 2025-12-31 00:31Ksenia Security Lares 4.0 Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the 'basisInfo' XML file after authentication. Attackers can retrieve the PIN from the server response to bypass security measures and disable the alarm system without additional authentication.
{
"affected": [],
"aliases": [
"CVE-2025-15114"
],
"database_specific": {
"cwe_ids": [
"CWE-403",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-30T23:15:50Z",
"severity": "CRITICAL"
},
"details": "Ksenia Security Lares 4.0 Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the \u0027basisInfo\u0027 XML file after authentication. Attackers can retrieve the PIN from the server response to bypass security measures and disable the alarm system without additional authentication.",
"id": "GHSA-5xw5-83cp-4rjf",
"modified": "2025-12-31T00:31:11Z",
"published": "2025-12-31T00:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15114"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-pin-exposure-vulnerability"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5929.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6247-7862-Q2PQ
Vulnerability from github – Published: 2024-08-21 00:30 – Updated: 2025-07-10 23:18The Apache Helix Front (UI) component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies.
This issue affects Apache Helix Front (UI): all versions.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.helix:helix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-22281"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-21T20:10:17Z",
"nvd_published_at": "2024-08-20T23:15:03Z",
"severity": "HIGH"
},
"details": "The Apache Helix Front (UI) component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies.\n\nThis issue affects Apache Helix Front (UI): all versions.\n\nAs this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-6247-7862-q2pq",
"modified": "2025-07-10T23:18:02Z",
"published": "2024-08-21T00:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22281"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/helix"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/zt26fpmrqx3fzcy8nv3b43kb3xllo5ny"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/08/20/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Helix Front (UI) component contained a hard-coded secret"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.