CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-835G-MMPX-FPQJ
Vulnerability from github – Published: 2023-03-14 18:30 – Updated: 2023-03-14 18:30Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-23394"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-14T17:15:00Z",
"severity": "MODERATE"
},
"details": "Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability",
"id": "GHSA-835g-mmpx-fpqj",
"modified": "2023-03-14T18:30:18Z",
"published": "2023-03-14T18:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23394"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23394"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8396-JFFM-QX4W
Vulnerability from github – Published: 2026-06-11 20:28 – Updated: 2026-06-11 20:28Description
In OpenFGA, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request.
Preconditions
This applies if the following preconditions are present:
- FGA runs with SharedIteratorCache enabled,
- FGA runs with ListObjectsIteratorCache enabled.
Fix
Upgrade to version 1.16.0 or greater.
Acknowledgements
OpenFGA would like to thank @j4xT for the discovery and the detailed report.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openfga/openfga"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48096"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-11T20:28:18Z",
"nvd_published_at": "2026-06-10T16:17:09Z",
"severity": "MODERATE"
},
"details": "### Description\nIn OpenFGA, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request.\n\n### Preconditions\nThis applies if the following preconditions are present:\n\n- FGA runs with SharedIteratorCache enabled,\n- FGA runs with ListObjectsIteratorCache enabled.\n\n### Fix\nUpgrade to version 1.16.0 or greater.\n\n### Acknowledgements\nOpenFGA would like to thank @j4xT for the discovery and the detailed report.",
"id": "GHSA-8396-jffm-qx4w",
"modified": "2026-06-11T20:28:18Z",
"published": "2026-06-11T20:28:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openfga/openfga/security/advisories/GHSA-8396-jffm-qx4w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48096"
},
{
"type": "PACKAGE",
"url": "https://github.com/openfga/openfga"
},
{
"type": "WEB",
"url": "https://github.com/openfga/openfga/releases/tag/v1.16.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning"
}
GHSA-83P3-V4FM-FXH5
Vulnerability from github – Published: 2022-05-27 00:00 – Updated: 2022-06-09 00:00A cookie management issue was addressed with improved state management. This issue is fixed in Security Update 2022-003 Catalina, macOS Big Sur 11.6.5. Processing maliciously crafted web content may disclose sensitive user information.
{
"affected": [],
"aliases": [
"CVE-2022-22662"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-26T18:15:00Z",
"severity": "MODERATE"
},
"details": "A cookie management issue was addressed with improved state management. This issue is fixed in Security Update 2022-003 Catalina, macOS Big Sur 11.6.5. Processing maliciously crafted web content may disclose sensitive user information.",
"id": "GHSA-83p3-v4fm-fxh5",
"modified": "2022-06-09T00:00:29Z",
"published": "2022-05-27T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22662"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33BWWAQLLBHKGSI332ZZCORTFZ2XLOIH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANNHXXARVBRGI74TVQNZOAG6P7AGSMUJ"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-39"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213184"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213185"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/07/05/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-847M-MG92-99R2
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2022-07-13 00:00IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. IBM X-Force ID: 184158.
{
"affected": [],
"aliases": [
"CVE-2020-4569"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-29T14:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. IBM X-Force ID: 184158.",
"id": "GHSA-847m-mg92-99r2",
"modified": "2022-07-13T00:00:51Z",
"published": "2022-05-24T17:24:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4569"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/184158"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6253781"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-85MV-6CV3-242P
Vulnerability from github – Published: 2023-03-14 18:30 – Updated: 2023-03-14 18:30Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-24866"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-14T17:15:00Z",
"severity": "MODERATE"
},
"details": "Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability",
"id": "GHSA-85mv-6cv3-242p",
"modified": "2023-03-14T18:30:20Z",
"published": "2023-03-14T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24866"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24866"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-86JH-GRMM-2V3H
Vulnerability from github – Published: 2026-03-05 00:31 – Updated: 2026-05-01 18:31The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
{
"affected": [],
"aliases": [
"CVE-2026-2297"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-04T23:16:10Z",
"severity": "MODERATE"
},
"details": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
"id": "GHSA-86jh-grmm-2v3h",
"modified": "2026-05-01T18:31:19Z",
"published": "2026-03-05T00:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2297"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/issues/145506"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/pull/145507"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/69ddd9bb2cc4bd69b1565647c18659c6a789ccd9"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/876858c9f65d9ab656c7fa639f268ce7856d89dd"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/03/05/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-86PW-4RQP-6X7V
Vulnerability from github – Published: 2023-07-25 09:30 – Updated: 2025-02-13 19:01Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. The attacker could use general users to delete and update the process, which only the admin can operate occurrences.
Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8109 to solve it.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.inlong:inlong-manager"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-34189"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-25T19:13:02Z",
"nvd_published_at": "2023-07-25T08:15:10Z",
"severity": "MODERATE"
},
"details": "Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. The attacker could use general users to delete and update the process, which only the admin can operate occurrences.\u00a0\n\nUsers are advised to upgrade to Apache InLong\u0027s 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8109 \u00a0to solve it.",
"id": "GHSA-86pw-4rqp-6x7v",
"modified": "2025-02-13T19:01:45Z",
"published": "2023-07-25T09:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34189"
},
{
"type": "WEB",
"url": "https://github.com/apache/inlong/issues/8108"
},
{
"type": "WEB",
"url": "https://github.com/apache/inlong/pull/8109"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/inlong"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/smxqyx43hxjvzv4w71n2n3rfho9p378s"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/07/25/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache InLong: General user can delete and update process"
}
GHSA-8722-V7G5-QCVV
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37A vulnerability in the Open Agent Container (OAC) feature of Cisco Nexus Series Switches could allow an unauthenticated, local attacker to read and send packets outside the scope of the OAC. The vulnerability is due to insufficient internal security measures in the OAC feature. An attacker could exploit this vulnerability by crafting specific packets for communication on the device-internal network. A successful exploit could allow the attacker to run code on the underlying host operating system. OAC is not enabled by default. For a device to be vulnerable, an administrator would need to install and activate this feature. This vulnerability affects the following Cisco Nexus Series Switches: Nexus 2000 Series Fabric Extenders, Nexus 5000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches. Cisco Bug IDs: CSCve53542, CSCvf36621.
{
"affected": [],
"aliases": [
"CVE-2017-12342"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-30T09:29:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the Open Agent Container (OAC) feature of Cisco Nexus Series Switches could allow an unauthenticated, local attacker to read and send packets outside the scope of the OAC. The vulnerability is due to insufficient internal security measures in the OAC feature. An attacker could exploit this vulnerability by crafting specific packets for communication on the device-internal network. A successful exploit could allow the attacker to run code on the underlying host operating system. OAC is not enabled by default. For a device to be vulnerable, an administrator would need to install and activate this feature. This vulnerability affects the following Cisco Nexus Series Switches: Nexus 2000 Series Fabric Extenders, Nexus 5000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches. Cisco Bug IDs: CSCve53542, CSCvf36621.",
"id": "GHSA-8722-v7g5-qcvv",
"modified": "2022-05-13T01:37:50Z",
"published": "2022-05-13T01:37:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12342"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-nxos9"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102027"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039940"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-87J3-33PX-QQWW
Vulnerability from github – Published: 2023-10-17 06:30 – Updated: 2024-04-04 08:42Archer Platform 6.x before 6.13 P2 HF2 (6.13.0.2.2) contains a sensitive information disclosure vulnerability. An authenticated attacker could potentially obtain access to sensitive information via a popup warning message. 6.14 (6.14.0) is also a fixed release.
{
"affected": [],
"aliases": [
"CVE-2023-45357"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-17T05:15:50Z",
"severity": "MODERATE"
},
"details": "Archer Platform 6.x before 6.13 P2 HF2 (6.13.0.2.2) contains a sensitive information disclosure vulnerability. An authenticated attacker could potentially obtain access to sensitive information via a popup warning message. 6.14 (6.14.0) is also a fixed release.",
"id": "GHSA-87j3-33px-qqww",
"modified": "2024-04-04T08:42:35Z",
"published": "2023-10-17T06:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45357"
},
{
"type": "WEB",
"url": "https://www.archerirm.community/t5/platform-announcements/archer-update-for-multiple-vulnerabilities/ta-p/708617"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-87QJ-MCQ2-MP5M
Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2022-07-13 00:00The issue was addressed with improved deletion. This issue is fixed in iOS 13.4 and iPadOS 13.4. Deleted messages groups may still be suggested as an autocompletion.
{
"affected": [],
"aliases": [
"CVE-2020-3890"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-01T18:15:00Z",
"severity": "MODERATE"
},
"details": "The issue was addressed with improved deletion. This issue is fixed in iOS 13.4 and iPadOS 13.4. Deleted messages groups may still be suggested as an autocompletion.",
"id": "GHSA-87qj-mcq2-mp5m",
"modified": "2022-07-13T00:00:51Z",
"published": "2022-05-24T17:13:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3890"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT211102"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.