CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-XC2Q-PRRJ-8CP6
Vulnerability from github – Published: 2023-06-14 00:30 – Updated: 2024-04-04 04:48Windows Installer Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-32016"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-14T00:15:11Z",
"severity": "MODERATE"
},
"details": "Windows Installer Information Disclosure Vulnerability",
"id": "GHSA-xc2q-prrj-8cp6",
"modified": "2024-04-04T04:48:53Z",
"published": "2023-06-14T00:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32016"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32016"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XCJR-GM58-GW5Q
Vulnerability from github – Published: 2022-01-11 00:01 – Updated: 2023-08-08 15:31The distributed data service component has a vulnerability in data access control. Successful exploitation of this vulnerability may affect data confidentiality.
{
"affected": [],
"aliases": [
"CVE-2021-40005"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-10T14:10:00Z",
"severity": "HIGH"
},
"details": "The distributed data service component has a vulnerability in data access control. Successful exploitation of this vulnerability may affect data confidentiality.",
"id": "GHSA-xcjr-gm58-gw5q",
"modified": "2023-08-08T15:31:31Z",
"published": "2022-01-11T00:01:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40005"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202112-0000001183296718"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XCX2-X6F7-987C
Vulnerability from github – Published: 2022-05-13 01:39 – Updated: 2022-05-13 01:39Microsoft Windows 10 1607 and Windows Server 2016 allow an attacker to exploit a security feature bypass vulnerability in Device Guard that could allow the attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This CVE ID is unique from CVE-2017-0173, CVE-2017-0216, CVE-2017-0218, and CVE-2017-0219.
{
"affected": [],
"aliases": [
"CVE-2017-0215"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-15T01:29:00Z",
"severity": "MODERATE"
},
"details": "Microsoft Windows 10 1607 and Windows Server 2016 allow an attacker to exploit a security feature bypass vulnerability in Device Guard that could allow the attacker to inject malicious code into a Windows PowerShell session, aka \"Device Guard Code Integrity Policy Security Feature Bypass Vulnerability.\" This CVE ID is unique from CVE-2017-0173, CVE-2017-0216, CVE-2017-0218, and CVE-2017-0219.",
"id": "GHSA-xcx2-x6f7-987c",
"modified": "2022-05-13T01:39:49Z",
"published": "2022-05-13T01:39:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0215"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0215"
},
{
"type": "WEB",
"url": "https://posts.specterops.io/umci-bypass-using-psworkflowutility-cve-2017-0215-71c76c1588f9"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98879"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038669"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XF2W-RWCJ-Q83W
Vulnerability from github – Published: 2022-12-28 21:30 – Updated: 2023-01-06 21:30A vulnerability was found in centic9 jgit-cookbook. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to insecure temporary file. The attack can be initiated remotely. The name of the patch is b8cb29b43dc704708d598c60ac1881db7cf8e9c3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216988.
{
"affected": [],
"aliases": [
"CVE-2022-4817"
],
"database_specific": {
"cwe_ids": [
"CWE-377",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-28T19:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in centic9 jgit-cookbook. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to insecure temporary file. The attack can be initiated remotely. The name of the patch is b8cb29b43dc704708d598c60ac1881db7cf8e9c3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216988.",
"id": "GHSA-xf2w-rwcj-q83w",
"modified": "2023-01-06T21:30:42Z",
"published": "2022-12-28T21:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4817"
},
{
"type": "WEB",
"url": "https://github.com/centic9/jgit-cookbook/pull/86"
},
{
"type": "WEB",
"url": "https://github.com/centic9/jgit-cookbook/commit/b8cb29b43dc704708d598c60ac1881db7cf8e9c3"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.216988"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.216988"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XFCW-6C56-RP9P
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-08-13 00:00Using PendingIntent with implicit intent in Bixby Voice prior to version 3.0.52.14 allows attackers to execute privileged action by hijacking and modifying the intent.
{
"affected": [],
"aliases": [
"CVE-2021-25352"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-25T17:15:00Z",
"severity": "HIGH"
},
"details": "Using PendingIntent with implicit intent in Bixby Voice prior to version 3.0.52.14 allows attackers to execute privileged action by hijacking and modifying the intent.",
"id": "GHSA-xfcw-6c56-rp9p",
"modified": "2022-08-13T00:00:33Z",
"published": "2022-05-24T17:45:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25352"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XG48-JQ9V-2X5F
Vulnerability from github – Published: 2022-10-07 18:15 – Updated: 2022-10-12 12:00Improper access control vulnerability in QuickShare prior to version 13.2.3.5 allows attackers to access sensitive information via implicit broadcast.
{
"affected": [],
"aliases": [
"CVE-2022-39860"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-07T15:15:00Z",
"severity": "LOW"
},
"details": "Improper access control vulnerability in QuickShare prior to version 13.2.3.5 allows attackers to access sensitive information via implicit broadcast.",
"id": "GHSA-xg48-jq9v-2x5f",
"modified": "2022-10-12T12:00:21Z",
"published": "2022-10-07T18:15:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39860"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XG6V-XH9G-65CV
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:12On AVTECH Room Alert 3E devices before 2.2.5, an attacker with access to the device's web interface may escalate privileges from an unauthenticated user to administrator by performing a cmd.cgi?action=ResetDefaults&src=RA reset and using the default credentials to get in.
{
"affected": [],
"aliases": [
"CVE-2019-13379"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-07T16:15:00Z",
"severity": "HIGH"
},
"details": "On AVTECH Room Alert 3E devices before 2.2.5, an attacker with access to the device\u0027s web interface may escalate privileges from an unauthenticated user to administrator by performing a cmd.cgi?action=ResetDefaults\u0026src=RA reset and using the default credentials to get in.",
"id": "GHSA-xg6v-xh9g-65cv",
"modified": "2024-04-04T01:12:47Z",
"published": "2022-05-24T16:49:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13379"
},
{
"type": "WEB",
"url": "https://jordonlovik.wordpress.com/2019/07/06/roomalert-by-avtech-critical-vulnerability-disclosure"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010"
},
{
"type": "WEB",
"url": "https://www.youtube.com/watch?v=X1PY7kMFkVg"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XGC4-84F6-P6XR
Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02VMware Identity Manager 2.x before 2.7.1 and vRealize Automation 7.x before 7.2.0 allow remote attackers to read /SAAS/WEB-INF and /SAAS/META-INF files via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2016-5334"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-12-29T09:59:00Z",
"severity": "MODERATE"
},
"details": "VMware Identity Manager 2.x before 2.7.1 and vRealize Automation 7.x before 7.2.0 allow remote attackers to read /SAAS/WEB-INF and /SAAS/META-INF files via unspecified vectors.",
"id": "GHSA-xgc4-84f6-p6xr",
"modified": "2022-05-13T01:02:39Z",
"published": "2022-05-13T01:02:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5334"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94482"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037326"
},
{
"type": "WEB",
"url": "http://www.vmware.com/security/advisories/VMSA-2016-0021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XGQ6-2343-XVCM
Vulnerability from github – Published: 2021-12-08 00:01 – Updated: 2023-08-08 15:31A denial-of-service attack in WPA2, and WPA3-SAE authentication methods in TP-Link AX10v1 before V1_211014, allows a remote unauthenticated attacker to disconnect an already connected wireless client via sending with a wireless adapter specific spoofed authentication frames
{
"affected": [],
"aliases": [
"CVE-2021-40288"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-07T20:15:00Z",
"severity": "HIGH"
},
"details": "A denial-of-service attack in WPA2, and WPA3-SAE authentication methods in TP-Link AX10v1 before V1_211014, allows a remote unauthenticated attacker to disconnect an already connected wireless client via sending with a wireless adapter specific spoofed authentication frames",
"id": "GHSA-xgq6-2343-xvcm",
"modified": "2023-08-08T15:31:24Z",
"published": "2021-12-08T00:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40288"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/us/support/download/archer-ax10/v1/#Firmware"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XH3C-FG2P-F6RR
Vulnerability from github – Published: 2022-06-10 00:00 – Updated: 2022-06-18 00:00ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.
{
"affected": [],
"aliases": [
"CVE-2022-31649"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-09T04:15:00Z",
"severity": "HIGH"
},
"details": "ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.",
"id": "GHSA-xh3c-fg2p-f6rr",
"modified": "2022-06-18T00:00:23Z",
"published": "2022-06-10T00:00:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31649"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/212.html"
},
{
"type": "WEB",
"url": "https://owncloud.com/security-advisories/cve-2022-31649"
},
{
"type": "WEB",
"url": "https://owncloud.org/security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.