CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-FF64-7W26-62RF
Vulnerability from github – Published: 2026-02-06 19:14 – Updated: 2026-02-06 19:14Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted.
Users on standard Claude Code auto-update received this fix automatically. Users performing manual updates are advised to update to the latest version.
Claude Code thanks hackerone.com/edbr for reporting this issue!
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@anthropic-ai/claude-code"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25725"
],
"database_specific": {
"cwe_ids": [
"CWE-501",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T19:14:33Z",
"nvd_published_at": "2026-02-06T18:16:00Z",
"severity": "HIGH"
},
"details": "Claude Code\u0027s bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. \n\nUsers on standard Claude Code auto-update received this fix automatically. Users performing manual updates are advised to update to the latest version.\n\nClaude Code thanks hackerone.com/edbr for reporting this issue!",
"id": "GHSA-ff64-7w26-62rf",
"modified": "2026-02-06T19:14:33Z",
"published": "2026-02-06T19:14:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25725"
},
{
"type": "PACKAGE",
"url": "https://github.com/anthropics/claude-code"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json"
}
GHSA-FG5R-4HGJ-M9V6
Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2022-05-24 00:00Storage Spaces Controller Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-43227.
{
"affected": [],
"aliases": [
"CVE-2021-43235"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T15:15:00Z",
"severity": "MODERATE"
},
"details": "Storage Spaces Controller Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-43227.",
"id": "GHSA-fg5r-4hgj-m9v6",
"modified": "2022-05-24T00:00:42Z",
"published": "2021-12-16T00:01:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43235"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43235"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FGJM-PGHW-GF5M
Vulnerability from github – Published: 2023-12-04 03:30 – Updated: 2023-12-07 18:30In telephony service, there is a possible missing permission check. This could lead to remote information disclosure no additional execution privileges needed
{
"affected": [],
"aliases": [
"CVE-2023-42717"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-04T01:15:10Z",
"severity": "HIGH"
},
"details": "In telephony service, there is a possible missing permission check. This could lead to remote information disclosure no additional execution privileges needed",
"id": "GHSA-fgjm-pghw-gf5m",
"modified": "2023-12-07T18:30:27Z",
"published": "2023-12-04T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42717"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/https://www.unisoc.com/en_us/secy/announcementDetail/1731138365803266049"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FGQR-H6M4-C3J9
Vulnerability from github – Published: 2022-07-21 00:00 – Updated: 2022-07-28 00:00An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/set_safety.shtml?r=52300 and searching for [var syspasswd].
{
"affected": [],
"aliases": [
"CVE-2022-34047"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-20T17:15:00Z",
"severity": "HIGH"
},
"details": "An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/set_safety.shtml?r=52300 and searching for [var syspasswd].",
"id": "GHSA-fgqr-h6m4-c3j9",
"modified": "2022-07-28T00:00:41Z",
"published": "2022-07-21T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34047"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1sTQdUc12aZvJRFeb5wp8AfPdUEkkU9Sy/view?usp=sharing"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/167891/Wavlink-WN530HG4-Password-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FHQ9-P69R-3JQ8
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-07-13 00:01An issue was discovered in 3xLogic Infinias Access Control through 6.7.10708.0, affecting physical security. Users with login credentials assigned to a specific zone can send modified HTTP GET and POST requests, allowing them to view user data such as personal information and Prox card credentials. Also, an authorized user of one zone can send API requests to unlock electronic locks associated with zones they are unauthorized to have access to. They can also create new user logins for zones they were not authorized to access, including the root zone of the software.
{
"affected": [],
"aliases": [
"CVE-2021-41847"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-01T23:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in 3xLogic Infinias Access Control through 6.7.10708.0, affecting physical security. Users with login credentials assigned to a specific zone can send modified HTTP GET and POST requests, allowing them to view user data such as personal information and Prox card credentials. Also, an authorized user of one zone can send API requests to unlock electronic locks associated with zones they are unauthorized to have access to. They can also create new user logins for zones they were not authorized to access, including the root zone of the software.",
"id": "GHSA-fhq9-p69r-3jq8",
"modified": "2022-07-13T00:01:42Z",
"published": "2022-05-24T19:16:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41847"
},
{
"type": "WEB",
"url": "https://gitlab.com/grose88/infinias"
},
{
"type": "WEB",
"url": "https://grant-rose.com/infinias-access-control-vulnerability"
},
{
"type": "WEB",
"url": "https://www.3xlogic.com/infinias-access-control"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FJVJ-W876-8MC2
Vulnerability from github – Published: 2022-08-29 20:06 – Updated: 2022-09-07 00:01There is a flaw in convert2rhel. convert2rhel passes the Red Hat account password to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the password via the process command line via e.g. htop or ps. The specific impact varies upon the privileges of the Red Hat account in question, but it could affect the integrity, availability, and/or data confidentiality of other systems that are administered by that account. This occurs regardless of how the password is supplied to convert2rhel.
{
"affected": [],
"aliases": [
"CVE-2022-0852"
],
"database_specific": {
"cwe_ids": [
"CWE-359",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-29T15:15:00Z",
"severity": "MODERATE"
},
"details": "There is a flaw in convert2rhel. convert2rhel passes the Red Hat account password to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the password via the process command line via e.g. htop or ps. The specific impact varies upon the privileges of the Red Hat account in question, but it could affect the integrity, availability, and/or data confidentiality of other systems that are administered by that account. This occurs regardless of how the password is supplied to convert2rhel.",
"id": "GHSA-fjvj-w876-8mc2",
"modified": "2022-09-07T00:01:54Z",
"published": "2022-08-29T20:06:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0852"
},
{
"type": "WEB",
"url": "https://github.com/oamg/convert2rhel/pull/492"
},
{
"type": "WEB",
"url": "https://github.com/oamg/convert2rhel/commit/8d72fb030ed31116fdb256b327d299337b000af4"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:1599"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:1617"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:1618"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-0852"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060129"
},
{
"type": "WEB",
"url": "https://issues.redhat.com/browse/RHELC-432"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FMC8-F7RH-X4P9
Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2025-04-20 03:49fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.
{
"affected": [],
"aliases": [
"CVE-2017-17087"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-01T08:29:00Z",
"severity": "MODERATE"
},
"details": "fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor\u0027s primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.",
"id": "GHSA-fmc8-f7rh-x4p9",
"modified": "2025-04-20T03:49:19Z",
"published": "2022-05-13T01:03:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17087"
},
{
"type": "WEB",
"url": "https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8"
},
{
"type": "WEB",
"url": "https://groups.google.com/d/msg/vim_dev/sRT9BtjLWMk/BRtSXNU4BwAJ"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00003.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4582-1"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2017/11/27/2"
},
{
"type": "WEB",
"url": "http://security.cucumberlinux.com/security/details.php?id=166"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FP29-2P4F-JJCR
Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2022-04-21 00:00Dell PowerScale OneFS, 8.2,x, 9.1.0.x, 9.2.1.x, and 9.3.0.x contain a denial of service vulnerability. A local malicious user could potentially exploit this vulnerability, leading to denial of service/data unavailability.
{
"affected": [],
"aliases": [
"CVE-2022-23163"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-12T18:15:00Z",
"severity": "MODERATE"
},
"details": "Dell PowerScale OneFS, 8.2,x, 9.1.0.x, 9.2.1.x, and 9.3.0.x contain a denial of service vulnerability. A local malicious user could potentially exploit this vulnerability, leading to denial of service/data unavailability.",
"id": "GHSA-fp29-2p4f-jjcr",
"modified": "2022-04-21T00:00:46Z",
"published": "2022-04-13T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23163"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000196009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FPMW-WFWQ-64G9
Vulnerability from github – Published: 2021-12-10 00:00 – Updated: 2022-04-01 00:01IBM Db2 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. IBM X-Force ID: 199521.
{
"affected": [],
"aliases": [
"CVE-2021-20373"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-09T17:15:00Z",
"severity": "HIGH"
},
"details": "IBM Db2 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. IBM X-Force ID: 199521.",
"id": "GHSA-fpmw-wfwq-64g9",
"modified": "2022-04-01T00:01:18Z",
"published": "2021-12-10T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20373"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/195521"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220225-0005"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6523804"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FPV6-F8JW-RC3R
Vulnerability from github – Published: 2021-09-23 23:17 – Updated: 2022-08-15 20:07Impact
Elvish's backend for the experimental web UI (started by elvish -web) hosts an endpoint that allows executing the code sent from the web UI.
The backend does not check the origin of requests correctly. As a result, if the user has the web UI backend open and visits a compromised or malicious website, the website can send arbitrary code to the endpoint in localhost.
Patches
All Elvish releases since 0.14.0 no longer include the experimental web UI, although it is still possible for the user to build a version from source that includes it.
The issue can be patched for previous versions by removing the web UI (found in web, pkg/web or pkg/prog/web, depending on the exact version).
Workarounds
Do not use the experimental web UI.
For more information
If you have any questions or comments about this advisory, please email xiaqqaix@gmail.com.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/elves/elvish"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.14.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41088"
],
"database_specific": {
"cwe_ids": [
"CWE-346",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-23T21:06:47Z",
"nvd_published_at": "2021-09-23T20:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nElvish\u0027s backend for the experimental web UI (started by `elvish -web`) hosts an endpoint that allows executing the code sent from the web UI.\n\nThe backend does not check the origin of requests correctly. As a result, if the user has the web UI backend open and visits a compromised or malicious website, the website can send arbitrary code to the endpoint in localhost.\n\n### Patches\n\nAll Elvish releases since 0.14.0 no longer include the experimental web UI, although it is still possible for the user to build a version from source that includes it.\n\nThe issue can be patched for previous versions by removing the web UI (found in web, pkg/web or pkg/prog/web, depending on the exact version).\n\n### Workarounds\n\nDo not use the experimental web UI.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please email xiaqqaix@gmail.com.",
"id": "GHSA-fpv6-f8jw-rc3r",
"modified": "2022-08-15T20:07:49Z",
"published": "2021-09-23T23:17:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/elves/elvish/security/advisories/GHSA-fpv6-f8jw-rc3r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41088"
},
{
"type": "WEB",
"url": "https://github.com/elves/elvish/commit/ccc2750037bbbfafe9c1b7a78eadd3bd16e81fe5"
},
{
"type": "PACKAGE",
"url": "https://github.com/elves/elvish"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Elvish vulnerable to remote code execution via the web UI backend"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.