CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-FPV7-MHHR-H93X
Vulnerability from github – Published: 2022-02-10 00:00 – Updated: 2023-06-29 06:30Microsoft Office Information Disclosure Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-23252"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-09T17:15:00Z",
"severity": "MODERATE"
},
"details": "Microsoft Office Information Disclosure Vulnerability.",
"id": "GHSA-fpv7-mhhr-h93x",
"modified": "2023-06-29T06:30:17Z",
"published": "2022-02-10T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23252"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23252"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23252"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FQ5M-CP8F-255J
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33A vulnerability in the REST API of Cisco Edge Fog Fabric could allow an authenticated, remote attacker to access files outside of their authorization sphere on an affected device. The vulnerability is due to incorrect authorization enforcement on an affected system. An attacker could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device.
{
"affected": [],
"aliases": [
"CVE-2020-26084"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-06T19:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the REST API of Cisco Edge Fog Fabric could allow an authenticated, remote attacker to access files outside of their authorization sphere on an affected device. The vulnerability is due to incorrect authorization enforcement on an affected system. An attacker could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device.",
"id": "GHSA-fq5m-cp8f-255j",
"modified": "2022-05-24T17:33:18Z",
"published": "2022-05-24T17:33:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26084"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-eff-incperm-9E6h4yBz"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FQ7V-XJ92-R9MR
Vulnerability from github – Published: 2022-03-02 00:00 – Updated: 2025-05-30 18:30An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers (and user information) even if no SSH server or user is associated to the operator.
{
"affected": [],
"aliases": [
"CVE-2022-24446"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-01T02:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers (and user information) even if no SSH server or user is associated to the operator.",
"id": "GHSA-fq7v-xj92-r9mr",
"modified": "2025-05-30T18:30:42Z",
"published": "2022-03-02T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24446"
},
{
"type": "WEB",
"url": "https://cds.thalesgroup.com/en/tcs-cert/CVE-2022-24446"
},
{
"type": "WEB",
"url": "https://excellium-services.com/cert-xlm-advisory"
},
{
"type": "WEB",
"url": "https://excellium-services.com/cert-xlm-advisory/cve-2022-24446"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/key-manager"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/key-manager/release-notes.html#6200"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FQ83-F496-R75H
Vulnerability from github – Published: 2022-07-05 00:00 – Updated: 2022-07-13 00:01Improper authentication vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote attacker to obtain some data of Facility Information without logging in to the product.
{
"affected": [],
"aliases": [
"CVE-2022-28713"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-04T07:15:00Z",
"severity": "MODERATE"
},
"details": "Improper authentication vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote attacker to obtain some data of Facility Information without logging in to the product.",
"id": "GHSA-fq83-f496-r75h",
"modified": "2022-07-13T00:01:53Z",
"published": "2022-07-05T00:00:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28713"
},
{
"type": "WEB",
"url": "https://cs.cybozu.co.jp/2022/007429.html"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN73897863/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FQ84-CHPX-FM5F
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-07-13 00:01Viewing restrictions bypass vulnerability in Portal of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to obtain the data of Portal without the viewing privilege.
{
"affected": [],
"aliases": [
"CVE-2021-20755"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-18T06:15:00Z",
"severity": "MODERATE"
},
"details": "Viewing restrictions bypass vulnerability in Portal of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to obtain the data of Portal without the viewing privilege.",
"id": "GHSA-fq84-chpx-fm5f",
"modified": "2022-07-13T00:01:06Z",
"published": "2022-05-24T19:11:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20755"
},
{
"type": "WEB",
"url": "https://cs.cybozu.co.jp/2021/007206.html"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN54794245/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FQCP-358Q-WG2P
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50An issue was discovered in Ivanti Workspace Control before 10.3.10.0 and RES One Workspace. A local authenticated user can bypass Application Whitelisting restrictions to execute arbitrary code by leveraging multiple unspecified attack vectors.
{
"affected": [],
"aliases": [
"CVE-2018-15591"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-15T16:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Ivanti Workspace Control before 10.3.10.0 and RES One Workspace. A local authenticated user can bypass Application Whitelisting restrictions to execute arbitrary code by leveraging multiple unspecified attack vectors.",
"id": "GHSA-fqcp-358q-wg2p",
"modified": "2022-05-13T01:50:10Z",
"published": "2022-05-13T01:50:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15591"
},
{
"type": "WEB",
"url": "https://community.ivanti.com/docs/DOC-69684"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2018/Oct/8"
},
{
"type": "WEB",
"url": "https://www.securify.nl/en/advisory/SFY20180806/ivanti-workspace-control-application-whitelist-bypass-via-powergrid-_see-command-line-argument.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/149614/Ivanti-Workspace-Control-Application-PowerGrid-SEE-Whitelist-Bypass.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2018/Oct/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FQHM-44XP-628C
Vulnerability from github – Published: 2022-03-19 00:00 – Updated: 2022-03-29 00:01A permissions issue was addressed with improved validation. This issue is fixed in Security Update 2022-001 Catalina, macOS Monterey 12.2, macOS Big Sur 11.6.3. An application may be able to access restricted files.
{
"affected": [],
"aliases": [
"CVE-2022-22583"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-18T18:15:00Z",
"severity": "MODERATE"
},
"details": "A permissions issue was addressed with improved validation. This issue is fixed in Security Update 2022-001 Catalina, macOS Monterey 12.2, macOS Big Sur 11.6.3. An application may be able to access restricted files.",
"id": "GHSA-fqhm-44xp-628c",
"modified": "2022-03-29T00:01:35Z",
"published": "2022-03-19T00:00:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22583"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213054"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213055"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213056"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FR28-P2JH-93MM
Vulnerability from github – Published: 2023-04-15 21:30 – Updated: 2024-04-04 03:29An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor.
{
"affected": [],
"aliases": [
"CVE-2021-30153"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-15T20:16:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn\u0027t because they are hidden.) This is related to ApiVisualEditor.",
"id": "GHSA-fr28-p2jh-93mm",
"modified": "2024-04-04T03:29:16Z",
"published": "2023-04-15T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30153"
},
{
"type": "WEB",
"url": "https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY"
},
{
"type": "WEB",
"url": "https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY"
},
{
"type": "WEB",
"url": "https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T270453"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FRCG-47MH-PJ2G
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2024-03-27 18:32curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.
{
"affected": [],
"aliases": [
"CVE-2021-22897"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T16:15:00Z",
"severity": "MODERATE"
},
"details": "curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single \"static\" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.",
"id": "GHSA-frcg-47mh-pj2g",
"modified": "2024-03-27T18:32:37Z",
"published": "2022-05-24T19:05:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22897"
},
{
"type": "WEB",
"url": "https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1172857"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2021-22897.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210727-0007"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FRPC-MXVH-F9W7
Vulnerability from github – Published: 2023-06-14 00:30 – Updated: 2024-04-04 04:48DHCP Server Service Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-29355"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-14T00:15:09Z",
"severity": "MODERATE"
},
"details": "DHCP Server Service Information Disclosure Vulnerability",
"id": "GHSA-frpc-mxvh-f9w7",
"modified": "2024-04-04T04:48:23Z",
"published": "2023-06-14T00:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29355"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29355"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.