CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-8XJP-RP29-V5J8
Vulnerability from github – Published: 2022-01-13 00:00 – Updated: 2023-06-27 22:18Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agent processes to invoke command-line git at an attacker-specified path on the controller.
This allows attackers able to control agent processes to invoke arbitrary OS commands on the controller.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "ru.yandex.jenkins.plugins.debuilder:debian-package-builder"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.6.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23118"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-668",
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-01T20:10:51Z",
"nvd_published_at": "2022-01-12T20:15:00Z",
"severity": "HIGH"
},
"details": "Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agent processes to invoke command-line git at an attacker-specified path on the controller.\n\nThis allows attackers able to control agent processes to invoke arbitrary OS commands on the controller.",
"id": "GHSA-8xjp-rp29-v5j8",
"modified": "2023-06-27T22:18:19Z",
"published": "2022-01-13T00:00:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23118"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/debian-package-builder-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2546"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Agent-to-controller security bypass in Jenkins Debian Package Builder Plugin"
}
GHSA-925R-R6RP-2JJ7
Vulnerability from github – Published: 2022-11-11 19:00 – Updated: 2022-11-16 21:44A vulnerability has been found in ManyDesigns Portofino 5.3.2. Affected by this vulnerability is the function createTempDir of the file WarFileLauncher.java. The manipulation leads to creation of temporary file in directory with insecure permissions. Upgrading to version 5.3.3 is able to address this issue. The name of the patch is 94653cb357806c9cf24d8d294e6afea33f8f0775. It is recommended to upgrade the affected component.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.manydesigns:portofino"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-3952"
],
"database_specific": {
"cwe_ids": [
"CWE-377",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-16T00:00:50Z",
"nvd_published_at": "2022-11-11T14:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been found in ManyDesigns Portofino 5.3.2. Affected by this vulnerability is the function createTempDir of the file WarFileLauncher.java. The manipulation leads to creation of temporary file in directory with insecure permissions. Upgrading to version 5.3.3 is able to address this issue. The name of the patch is 94653cb357806c9cf24d8d294e6afea33f8f0775. It is recommended to upgrade the affected component. ",
"id": "GHSA-925r-r6rp-2jj7",
"modified": "2022-11-16T21:44:44Z",
"published": "2022-11-11T19:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3952"
},
{
"type": "WEB",
"url": "https://github.com/ManyDesigns/Portofino/pull/580"
},
{
"type": "WEB",
"url": "https://github.com/ManyDesigns/Portofino/commit/94653cb357806c9cf24d8d294e6afea33f8f0775"
},
{
"type": "WEB",
"url": "https://github.com/ManyDesigns/Portofino"
},
{
"type": "WEB",
"url": "https://github.com/ManyDesigns/Portofino/releases/tag/v5.3.3"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.213457"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "ManyDesigns Portofino subject to creation of insecure temporary file"
}
GHSA-92CH-FW3F-GXMQ
Vulnerability from github – Published: 2023-06-15 00:30 – Updated: 2024-04-04 04:51An information disclosure vulnerability in the?faye endpoint in Proofpoint Threat Response / Threat Response Auto-Pull (PTR/TRAP) could be used by an attacker on an adjacent network to obtain credentials to integrated services via a man-in-the-middle position or cryptanalysis of the session traffic. An attacker could use these credentials to impersonate PTR/TRAP to these services. All versions prior to 5.10.0 are affected.
{
"affected": [],
"aliases": [
"CVE-2023-2820"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-14T22:15:09Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability in the?faye endpoint in Proofpoint Threat Response / Threat Response Auto-Pull (PTR/TRAP) could be used by an attacker on an adjacent network to obtain credentials to integrated services via a man-in-the-middle position or cryptanalysis of the session traffic. An attacker could use these credentials to impersonate PTR/TRAP to these services. All versions prior to 5.10.0 are affected.\u00a0\n",
"id": "GHSA-92ch-fw3f-gxmq",
"modified": "2024-04-04T04:51:31Z",
"published": "2023-06-15T00:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2820"
},
{
"type": "WEB",
"url": "https://www.proofpoint.com/security/security-advisories/pfpt-sa-2023-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-92CV-8JC7-JRPM
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-06-04 00:00Potential floating point value injection in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution with incorrect floating point results, may cause the use of incorrect data from FPVI and may result in data leakage.
{
"affected": [],
"aliases": [
"CVE-2021-26314"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-208",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-09T12:15:00Z",
"severity": "MODERATE"
},
"details": "Potential floating point value injection in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution with incorrect floating point results, may cause the use of incorrect data from FPVI and may result in data leakage.",
"id": "GHSA-92cv-8jc7-jrpm",
"modified": "2022-06-04T00:00:52Z",
"published": "2022-05-24T19:04:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26314"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H36U6CNREC436W6GYO7QUMJIVEA35SCV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVA2NY26MMXOODUMYZN5DCU3FXMBMBOB"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1003"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/06/09/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/06/10/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-92FC-JGVR-56VR
Vulnerability from github – Published: 2023-01-01 09:30 – Updated: 2023-01-09 15:30The ntpd_driver component before 1.3.0 and 2.x before 2.2.0 for Robot Operating System (ROS) allows attackers, who control the source code of a different node in the same ROS application, to change a robot's behavior. This occurs because a topic name depends on the attacker-controlled time_ref_topic parameter.
{
"affected": [],
"aliases": [
"CVE-2022-48198"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-01T07:15:00Z",
"severity": "CRITICAL"
},
"details": "The ntpd_driver component before 1.3.0 and 2.x before 2.2.0 for Robot Operating System (ROS) allows attackers, who control the source code of a different node in the same ROS application, to change a robot\u0027s behavior. This occurs because a topic name depends on the attacker-controlled time_ref_topic parameter.",
"id": "GHSA-92fc-jgvr-56vr",
"modified": "2023-01-09T15:30:22Z",
"published": "2023-01-01T09:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48198"
},
{
"type": "WEB",
"url": "https://github.com/vooon/ntpd_driver/issues/9"
},
{
"type": "WEB",
"url": "https://github.com/vooon/ntpd_driver/compare/1.2.0...1.3.0"
},
{
"type": "WEB",
"url": "https://github.com/vooon/ntpd_driver/compare/2.1.0...2.2.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-92G9-C25J-HQP6
Vulnerability from github – Published: 2023-08-31 15:30 – Updated: 2023-08-31 15:30Excessive attack surface due to binding to an unrestricted IP address. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 30430, Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 35979.
{
"affected": [],
"aliases": [
"CVE-2023-41742"
],
"database_specific": {
"cwe_ids": [
"CWE-1327",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-31T15:15:08Z",
"severity": "MODERATE"
},
"details": "Excessive attack surface due to binding to an unrestricted IP address. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 30430, Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 35979.",
"id": "GHSA-92g9-c25j-hqp6",
"modified": "2023-08-31T15:30:17Z",
"published": "2023-08-31T15:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41742"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-4351"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-93PJ-4P65-QMR9
Vulnerability from github – Published: 2022-01-28 22:07 – Updated: 2022-02-02 16:13A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "3.11"
},
{
"fixed": "3.11.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "3.10"
},
{
"fixed": "3.10.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0334"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-26T22:48:21Z",
"nvd_published_at": "2022-01-25T20:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.",
"id": "GHSA-93pj-4p65-qmr9",
"modified": "2022-02-02T16:13:31Z",
"published": "2022-01-28T22:07:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0334"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/1964d68f8500ea3c7b776fa8a2af6266ed109f84"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/6d18f136ae88ec97e351a723df570816a959ec68"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2043664"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=431102"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insufficient user authorization in Moodle"
}
GHSA-93XG-J32H-9QVG
Vulnerability from github – Published: 2022-03-16 00:00 – Updated: 2022-03-23 00:00IBM Engineering Workflow Management 7.0, 7.0.1, and 7.0.2 and IBM Rational Team Concert 6.0.6 and 6.0.0.1 could allow an authenticated user to obtain sensitive information about build definitions. IBM X-Force ID: 192707.
{
"affected": [],
"aliases": [
"CVE-2020-4989"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-15T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Engineering Workflow Management 7.0, 7.0.1, and 7.0.2 and IBM Rational Team Concert 6.0.6 and 6.0.0.1 could allow an authenticated user to obtain sensitive information about build definitions. IBM X-Force ID: 192707.",
"id": "GHSA-93xg-j32h-9qvg",
"modified": "2022-03-23T00:00:44Z",
"published": "2022-03-16T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4989"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192707"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6563261"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9476-HGJR-4G2Q
Vulnerability from github – Published: 2023-07-25 21:31 – Updated: 2024-04-04 06:21An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is an Access Control Violation for Database Operations. The Vocera Report Console contains a websocket interface that allows for the unauthenticated execution of various tasks and database functions. This includes system tasks, and backing up, loading, and clearing of the database.
{
"affected": [],
"aliases": [
"CVE-2022-46901"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-25T20:15:13Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is an Access Control Violation for Database Operations. The Vocera Report Console contains a websocket interface that allows for the unauthenticated execution of various tasks and database functions. This includes system tasks, and backing up, loading, and clearing of the database.",
"id": "GHSA-9476-hgjr-4g2q",
"modified": "2024-04-04T06:21:24Z",
"published": "2023-07-25T21:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46901"
},
{
"type": "WEB",
"url": "https://www.stryker.com/us/en/about/governance/cyber-security/product-security"
},
{
"type": "WEB",
"url": "https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-949J-7M8V-WG33
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45Multiple session validity check issues in several administration functionalities of Invigo Automatic Device Management (ADM) through 5.0 allow remote attackers to read potentially sensitive data hosted by the application.
{
"affected": [],
"aliases": [
"CVE-2020-10581"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-25T20:15:00Z",
"severity": "HIGH"
},
"details": "Multiple session validity check issues in several administration functionalities of Invigo Automatic Device Management (ADM) through 5.0 allow remote attackers to read potentially sensitive data hosted by the application.",
"id": "GHSA-949j-7m8v-wg33",
"modified": "2022-05-24T17:45:19Z",
"published": "2022-05-24T17:45:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10581"
},
{
"type": "WEB",
"url": "https://www.on-x.com/sites/default/files/security_advisory_-_multiple_vulnerabilities_-_invigo_adm.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.