CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1252 vulnerabilities reference this CWE, most recent first.
GHSA-58FX-7V9Q-3G56
Vulnerability from github – Published: 2025-01-28 18:31 – Updated: 2025-12-16 20:01A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/redhat-developer/gitops-operator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-13484"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-28T20:40:01Z",
"nvd_published_at": "2025-01-28T18:15:32Z",
"severity": "HIGH"
},
"details": "A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.",
"id": "GHSA-58fx-7v9q-3g56",
"modified": "2025-12-16T20:01:25Z",
"published": "2025-01-28T18:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13484"
},
{
"type": "WEB",
"url": "https://github.com/redhat-developer/gitops-operator/pull/853"
},
{
"type": "WEB",
"url": "https://github.com/redhat-developer/gitops-operator/pull/869"
},
{
"type": "WEB",
"url": "https://github.com/redhat-developer/gitops-operator/pull/897"
},
{
"type": "WEB",
"url": "https://github.com/redhat-developer/gitops-operator/commit/bc6ac3e03d7c8b3db5d8f1770c868396a4c2dcef"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:7753"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:8274"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-13484"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269376"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-cd"
},
{
"type": "WEB",
"url": "https://issues.redhat.com/browse/GITOPS-7037"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3427"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenShift GitOps Operator Namespace Isolation Break"
}
GHSA-596G-9FV7-MQ62
Vulnerability from github – Published: 2026-05-11 18:31 – Updated: 2026-05-14 00:31Vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files includes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php.
This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
{
"affected": [],
"aliases": [
"CVE-2026-34095"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-11T18:16:32Z",
"severity": "LOW"
},
"details": "Vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.",
"id": "GHSA-596g-9fv7-mq62",
"modified": "2026-05-14T00:31:56Z",
"published": "2026-05-11T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34095"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T419192"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-59VG-279R-WF25
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-07-13 00:01Datalust Seq before 2021.2.6259 allows users (with view filters applied to their accounts) to see query results not constrained by their view filter. This information exposure, caused by an internal cache key collision, occurs when the user's view filter includes an array or IN clause, and when another user has recently executed an identical query differing only by the array elements.
{
"affected": [],
"aliases": [
"CVE-2021-41329"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-27T06:15:00Z",
"severity": "MODERATE"
},
"details": "Datalust Seq before 2021.2.6259 allows users (with view filters applied to their accounts) to see query results not constrained by their view filter. This information exposure, caused by an internal cache key collision, occurs when the user\u0027s view filter includes an array or IN clause, and when another user has recently executed an identical query differing only by the array elements.",
"id": "GHSA-59vg-279r-wf25",
"modified": "2022-07-13T00:01:41Z",
"published": "2022-05-24T19:15:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41329"
},
{
"type": "WEB",
"url": "https://github.com/datalust/seq-tickets/issues/1322"
},
{
"type": "WEB",
"url": "https://blog.datalust.co"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-59XF-CX6R-29GQ
Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-17 00:00Improper access control vulnerability in updateLastConnectedClientInfo function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected.
{
"affected": [],
"aliases": [
"CVE-2022-30750"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-12T14:15:00Z",
"severity": "LOW"
},
"details": "Improper access control vulnerability in updateLastConnectedClientInfo function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected.",
"id": "GHSA-59xf-cx6r-29gq",
"modified": "2022-07-17T00:00:45Z",
"published": "2022-07-13T00:01:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30750"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5FRP-V5H8-3HGC
Vulnerability from github – Published: 2022-07-28 00:00 – Updated: 2022-08-04 00:00Inappropriate implementation in PDF in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-1875"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-27T22:15:00Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in PDF in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to leak cross-origin data via a crafted HTML page.",
"id": "GHSA-5frp-v5h8-3hgc",
"modified": "2022-08-04T00:00:23Z",
"published": "2022-07-28T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1875"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/05/stable-channel-update-for-desktop_24.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1306443"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5FW4-HG92-MGM7
Vulnerability from github – Published: 2022-10-28 19:00 – Updated: 2022-10-28 19:00An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 9.3 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 allows a project maintainer to access the DataDog integration API key from webhook logs.
{
"affected": [],
"aliases": [
"CVE-2022-3018"
],
"database_specific": {
"cwe_ids": [
"CWE-532",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-28T15:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 9.3 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 allows a project maintainer to access the DataDog integration API key from webhook logs.",
"id": "GHSA-5fw4-hg92-mgm7",
"modified": "2022-10-28T19:00:30Z",
"published": "2022-10-28T19:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3018"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3018.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/360938"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5G5R-X2QH-4WM6
Vulnerability from github – Published: 2023-12-04 03:30 – Updated: 2023-12-07 18:30In dialer, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed
{
"affected": [],
"aliases": [
"CVE-2023-42718"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-04T01:15:10Z",
"severity": "MODERATE"
},
"details": "In dialer, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed",
"id": "GHSA-5g5r-x2qh-4wm6",
"modified": "2023-12-07T18:30:27Z",
"published": "2023-12-04T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42718"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/https://www.unisoc.com/en_us/secy/announcementDetail/1731138365803266049"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5GXV-94VG-H86P
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-07-13 00:01LINE client for iOS before 11.15.0 might expose authentication information for a certain service to external entities under certain conditions. This is usually impossible, but in combination with a server-side bug, attackers could get this information.
{
"affected": [],
"aliases": [
"CVE-2021-41011"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-22T15:15:00Z",
"severity": "HIGH"
},
"details": "LINE client for iOS before 11.15.0 might expose authentication information for a certain service to external entities under certain conditions. This is usually impossible, but in combination with a server-side bug, attackers could get this information.",
"id": "GHSA-5gxv-94vg-h86p",
"modified": "2022-07-13T00:01:41Z",
"published": "2022-05-24T19:15:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41011"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1279524"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5H4V-FJX7-95CQ
Vulnerability from github – Published: 2023-06-02 06:30 – Updated: 2024-11-01 00:31Missing Password Field Masking vulnerability in Mitsubishi Electric Corporation EtherNet/IP configuration tools SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD allows a remote unauthenticated attacker to know the password for MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This vulnerability results in authentication bypass vulnerability, which allows the attacker to access MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP via FTP.
{
"affected": [],
"aliases": [
"CVE-2023-2062"
],
"database_specific": {
"cwe_ids": [
"CWE-549",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-02T05:15:10Z",
"severity": "MODERATE"
},
"details": "Missing Password Field Masking vulnerability in Mitsubishi Electric Corporation EtherNet/IP configuration tools SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD allows a remote unauthenticated attacker to know the password for MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This vulnerability results in authentication bypass vulnerability, which allows the attacker to access MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP via FTP.",
"id": "GHSA-5h4v-fjx7-95cq",
"modified": "2024-11-01T00:31:59Z",
"published": "2023-06-02T06:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2062"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU92908006"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-157-02"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2023-004.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5HJ6-WM8R-GQJ8
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32Winston 1.5.4 devices have a CORS configuration that trusts arbitrary origins. This allows requests to be made and viewed by arbitrary origins.
{
"affected": [],
"aliases": [
"CVE-2020-16263"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-28T18:15:00Z",
"severity": "CRITICAL"
},
"details": "Winston 1.5.4 devices have a CORS configuration that trusts arbitrary origins. This allows requests to be made and viewed by arbitrary origins.",
"id": "GHSA-5hj6-wm8r-gqj8",
"modified": "2022-05-24T17:32:31Z",
"published": "2022-05-24T17:32:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16263"
},
{
"type": "WEB",
"url": "https://labs.bishopfox.com/advisories/winston-privacy-version-1.5.4"
},
{
"type": "WEB",
"url": "https://winstonprivacy.com"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.