Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1252 vulnerabilities reference this CWE, most recent first.

GHSA-97QP-7H55-JXGR

Vulnerability from github – Published: 2023-11-20 18:30 – Updated: 2023-11-20 18:30
VLAI
Details

PowerShell Information Disclosure Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-36013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-20T16:15:08Z",
    "severity": "MODERATE"
  },
  "details": "PowerShell Information Disclosure Vulnerability",
  "id": "GHSA-97qp-7h55-jxgr",
  "modified": "2023-11-20T18:30:46Z",
  "published": "2023-11-20T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36013"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36013"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9852-HR94-HF7P

Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2022-04-19 00:01
VLAI
Details

Information exposure vulnerability in ril property setting prior to SMR April-2022 Release 1 allows access to EF_RUIMID value without permission.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27822"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-11T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Information exposure vulnerability in ril property setting prior to SMR April-2022 Release 1 allows access to EF_RUIMID value without permission.",
  "id": "GHSA-9852-hr94-hf7p",
  "modified": "2022-04-19T00:01:12Z",
  "published": "2022-04-12T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27822"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-98M4-M2C3-QXGQ

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-12-06 21:56
VLAI
Summary
Jenkins JIRA Plugin allows users to select and use credentials with System scope
Details

Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use credentials with System scope. Jira Plugin 3.0.11 defines the appropriate folder context for credential lookup. As a side effect, existing per-folder Jira sites may lose access to already configured System-scoped credentials, as if no credential was specified in the first place.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.10"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:jira"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-16541"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-06T21:56:30Z",
    "nvd_published_at": "2019-11-21T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use credentials with System scope. Jira Plugin 3.0.11 defines the appropriate folder context for credential lookup. As a side effect, existing per-folder Jira sites may lose access to already configured System-scoped credentials, as if no credential was specified in the first place.",
  "id": "GHSA-98m4-m2c3-qxgq",
  "modified": "2022-12-06T21:56:30Z",
  "published": "2022-05-24T17:01:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16541"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jira-plugin/commit/3214a54b6871d82cb34a26949aad93b0fa78d1a8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jira-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1106"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/11/21/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins JIRA Plugin allows users to select and use credentials with System scope"
}

GHSA-99P4-7RF3-P26Q

Vulnerability from github – Published: 2023-01-27 15:30 – Updated: 2023-02-07 21:30
VLAI
Details

An information disclosure vulnerability in Totolink A830R V4.1.2cu.5182 allows attackers to obtain the root password via a brute-force attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-27T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability in Totolink A830R V4.1.2cu.5182 allows attackers to obtain the root password via a brute-force attack.",
  "id": "GHSA-99p4-7rf3-p26q",
  "modified": "2023-02-07T21:30:21Z",
  "published": "2023-01-27T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48067"
    },
    {
      "type": "WEB",
      "url": "https://befitting-vinca-933.notion.site/Totolink-A830R-V4-1-2cu-5182-Sensitive-Information-Disclosure-567f4a17d5cc401b97e5c3e61aae8ca0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9F3W-8VW8-XR57

Vulnerability from github – Published: 2022-01-12 00:00 – Updated: 2024-11-14 21:31
VLAI
Details

Windows GDI Information Disclosure Vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-21904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-11T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Windows GDI Information Disclosure Vulnerability.",
  "id": "GHSA-9f3w-8vw8-xr57",
  "modified": "2024-11-14T21:31:50Z",
  "published": "2022-01-12T00:00:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21904"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21904"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21904"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9F9M-8VQ9-GWH7

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-07-13 00:01
VLAI
Details

Azure RTOS Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-26444, CVE-2021-42301.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-10T01:19:00Z",
    "severity": "LOW"
  },
  "details": "Azure RTOS Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-26444, CVE-2021-42301.",
  "id": "GHSA-9f9m-8vq9-gwh7",
  "modified": "2022-07-13T00:01:42Z",
  "published": "2022-05-24T19:20:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42323"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42323"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9FHQ-8W23-F2MG

Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2023-08-08 15:31
VLAI
Details

Microsoft Defender for IoT Information Disclosure Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Defender for IoT Information Disclosure Vulnerability",
  "id": "GHSA-9fhq-8w23-f2mg",
  "modified": "2023-08-08T15:31:24Z",
  "published": "2021-12-16T00:01:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43888"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43888"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9G8X-92Q2-P28F

Vulnerability from github – Published: 2026-05-29 18:20 – Updated: 2026-06-12 19:30
VLAI
Summary
NodeVM observability builtins leak host process and HTTP request data
Details

Summary

NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin.

The following builtins are not blocked by the dangerous builtin denylist:

diagnostics_channel
async_hooks
perf_hooks

These modules are process-wide, not sandbox-local. Sandboxed code can use them to observe host application data across the vm2 boundary.

Note: It is a host data exposure issue. The impact depends on whether the host application allows these builtins and uses HTTP, async request context, diagnostics channels, or performance marks in the same process.

Details

Non-denied builtins are exposed to the sandbox through lib/builtin.js:

builtins.set(key, special ? special : vm => vm.readonly(hostRequire(key)));

diagnostics_channel, async_hooks, and perf_hooks are not denied. These modules expose host process state rather than sandbox-local state.

Confirmed examples:

  1. diagnostics_channel lets sandboxed code subscribe to Node.js HTTP diagnostic channels such as http.server.request.start. The sandbox receives host HTTP request objects and can read headers such as Authorization or session tokens.
  2. async_hooks.executionAsyncResource() lets sandboxed code read the current host AsyncResource. If the host stores request/user data on that resource, the sandbox can read it.
  3. perf_hooks.performance.getEntriesByType('mark') lets sandboxed code read host performance timeline entries.

PoC

Run from the vm2 repository root:

node poc/observability-builtins-info-leak.js

observability-builtins-info-leak.js

The PoC uses only the specific builtin being tested in each section.

It confirms:

diagnostics_channel: sandbox reads host HTTP request headers
async_hooks: sandbox reads host AsyncResource data
perf_hooks: sandbox reads host performance mark names

Example impact from the PoC:

authorization: Bearer HOST_HTTP_SECRET_...
x-session-token: HOST_HTTP_SECRET_...

These values are sent to a host HTTP server, but the sandbox reads them through diagnostics_channel.

Screenshot 2026-05-10 at 1 13 20 PM

Impact

An attacker who can run untrusted JavaScript inside NodeVM with affected builtin settings can observe data from the host process.

In a real application, this may expose HTTP request headers, authorization tokens, session tokens, request context values, user identifiers, or other sensitive diagnostics data from the host application or from other users.

Suggested fix

Treat process-wide observability modules as dangerous builtins for untrusted sandboxes.

At minimum, consider blocking:

diagnostics_channel
async_hooks
perf_hooks

These modules are not sandbox-local and can expose host process state across the vm2 boundary.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.11.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "vm2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.11.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47141"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T18:20:45Z",
    "nvd_published_at": "2026-06-12T15:16:28Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`NodeVM` exposes some process-wide observability builtins when they are allowed through `require.builtin`.\n\nThe following builtins are not blocked by the dangerous builtin denylist:\n\n```text\ndiagnostics_channel\nasync_hooks\nperf_hooks\n```\n\nThese modules are process-wide, not sandbox-local. Sandboxed code can use them to observe host application data across the vm2 boundary.\n\n**Note**: It is a host data exposure issue. The impact depends on whether the host application allows these builtins and uses HTTP, async request context, diagnostics channels, or performance marks in the same process.\n\n## Details\n\nNon-denied builtins are exposed to the sandbox through `lib/builtin.js`:\n\n```js\nbuiltins.set(key, special ? special : vm =\u003e vm.readonly(hostRequire(key)));\n```\n\n`diagnostics_channel`, `async_hooks`, and `perf_hooks` are not denied. These modules expose host process state rather than sandbox-local state.\n\nConfirmed examples:\n\n1. `diagnostics_channel` lets sandboxed code subscribe to Node.js HTTP diagnostic channels such as `http.server.request.start`. The sandbox receives host HTTP request objects and can read headers such as `Authorization` or session tokens.\n2. `async_hooks.executionAsyncResource()` lets sandboxed code read the current host `AsyncResource`. If the host stores request/user data on that resource, the sandbox can read it.\n3. `perf_hooks.performance.getEntriesByType(\u0027mark\u0027)` lets sandboxed code read host performance timeline entries.\n\n## PoC\n\nRun from the vm2 repository root:\n\n```bash\nnode poc/observability-builtins-info-leak.js\n```\n[observability-builtins-info-leak.js](https://github.com/user-attachments/files/27571259/observability-builtins-info-leak.js)\n\nThe PoC uses only the specific builtin being tested in each section.\n\nIt confirms:\n\n```text\ndiagnostics_channel: sandbox reads host HTTP request headers\nasync_hooks: sandbox reads host AsyncResource data\nperf_hooks: sandbox reads host performance mark names\n```\n\nExample impact from the PoC:\n\n```text\nauthorization: Bearer HOST_HTTP_SECRET_...\nx-session-token: HOST_HTTP_SECRET_...\n```\n\nThese values are sent to a host HTTP server, but the sandbox reads them through `diagnostics_channel`.\n\n\u003cimg width=\"997\" height=\"566\" alt=\"Screenshot 2026-05-10 at 1 13 20\u202fPM\" src=\"https://github.com/user-attachments/assets/36a7d600-8b53-4bfe-ab06-4e6dcfad5015\" /\u003e\n\n## Impact\n\nAn attacker who can run untrusted JavaScript inside `NodeVM` with affected builtin settings can observe data from the host process.\n\nIn a real application, this may expose HTTP request headers, authorization tokens, session tokens, request context values, user identifiers, or other sensitive diagnostics data from the host application or from other users.\n\n## Suggested fix\n\nTreat process-wide observability modules as dangerous builtins for untrusted sandboxes.\n\nAt minimum, consider blocking:\n\n```text\ndiagnostics_channel\nasync_hooks\nperf_hooks\n```\n\nThese modules are not sandbox-local and can expose host process state across the vm2 boundary.",
  "id": "GHSA-9g8x-92q2-p28f",
  "modified": "2026-06-12T19:30:13Z",
  "published": "2026-05-29T18:20:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-9g8x-92q2-p28f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47141"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/commit/e1c48fce05189f48e71efbd32af0754efa4066bb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patriksimek/vm2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NodeVM observability builtins leak host process and HTTP request data"
}

GHSA-9GMC-P2C5-WM4V

Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-01-16 00:00
VLAI
Details

In StatusBar.java, there is a possible disclosure of notification content on the lockscreen due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-189575031

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39628"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-14T20:15:00Z",
    "severity": "LOW"
  },
  "details": "In StatusBar.java, there is a possible disclosure of notification content on the lockscreen due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-189575031",
  "id": "GHSA-9gmc-p2c5-wm4v",
  "modified": "2022-01-16T00:00:49Z",
  "published": "2022-01-15T00:01:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39628"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2022-01-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9H7C-FM35-PJFG

Vulnerability from github – Published: 2021-12-15 00:00 – Updated: 2021-12-21 00:01
VLAI
Details

An issue was discovered in Listary through 6. An attacker can create a \.\pipe\Listary.listaryService named pipe and wait for a privileged user to open a session on the Listary installed host. Listary will automatically access the named pipe and the attacker will be able to duplicate the victim's token to impersonate him. This exploit is valid in certain Windows versions (Microsoft has patched the issue in later Windows 10 builds).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41065"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-14T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Listary through 6. An attacker can create a \\\\.\\pipe\\Listary.listaryService named pipe and wait for a privileged user to open a session on the Listary installed host. Listary will automatically access the named pipe and the attacker will be able to duplicate the victim\u0027s token to impersonate him. This exploit is valid in certain Windows versions (Microsoft has patched the issue in later Windows 10 builds).",
  "id": "GHSA-9h7c-fm35-pjfg",
  "modified": "2021-12-21T00:01:29Z",
  "published": "2021-12-15T00:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41065"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@tomerp_77017/exploiting-listary-searching-your-way-to-system-privileges-8175af676c3e"
    },
    {
      "type": "WEB",
      "url": "https://www.listary.com/download"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.