Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1252 vulnerabilities reference this CWE, most recent first.

GHSA-FCR8-4R9F-R66M

Vulnerability from github – Published: 2025-01-17 16:29 – Updated: 2025-01-17 21:56
VLAI
Summary
nbgrader's `frame-ancestors: self` grants all users access to formgrader
Details

Impact

Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of enable_subdomains = False.

1915 disables a protection which would allow user Alice to craft a page embedding formgrader in an IFrame. If Bob visits that page, his credentials will be sent and the formgrader page loaded. Because Alice's page is on the same Origin as the formgrader iframe, Javasript on Alice's page has full access to the contents of the page served by formgrader using Bob's credentials.

Workarounds

  • Disable frame-ancestors: self, or
  • enable per-user and per-service subdomains with JupyterHub.enable_subdomains = True (then even if embedding in an IFrame is allowed, the host page does not have access to the contents of the frame).

References

JupyterHub documentation on why and when frame-ancestors: self is insecure, and why it was disabled by default: https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#:~:text=frame-ancestors

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nbgrader"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.4"
            },
            {
              "fixed": "0.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.9.4"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-23205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1021",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-17T16:29:16Z",
    "nvd_published_at": "2025-01-17T21:15:11Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nEnabling frame-ancestors: \u0027self\u0027 grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of `enable_subdomains = False`.\n\n#1915 disables a protection which would allow user Alice to craft a page embedding formgrader in an IFrame. If Bob visits that page, his credentials will be sent and the formgrader page loaded. Because Alice\u0027s page is on the same Origin as the formgrader iframe, Javasript on Alice\u0027s page has _full access_ to the contents of the page served by formgrader using Bob\u0027s credentials.\n\n### Workarounds\n\n- Disable `frame-ancestors: self`, or\n- enable per-user and per-service subdomains with `JupyterHub.enable_subdomains = True` (then even if embedding in an IFrame is allowed, the host page does not have access to the contents of the frame).\n\n### References\n\nJupyterHub documentation on why and when `frame-ancestors: self` is insecure, and why it was disabled by default: https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#:~:text=frame-ancestors",
  "id": "GHSA-fcr8-4r9f-r66m",
  "modified": "2025-01-17T21:56:51Z",
  "published": "2025-01-17T16:29:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyter/nbgrader/security/advisories/GHSA-fcr8-4r9f-r66m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23205"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyter/nbgrader/pull/1915"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyter/nbgrader/commit/73e137511ac1dc02e95790d4fd6d4d88dab42325"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jupyter/nbgrader"
    },
    {
      "type": "WEB",
      "url": "https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "nbgrader\u0027s `frame-ancestors: self` grants all users access to formgrader"
}

GHSA-FF64-7W26-62RF

Vulnerability from github – Published: 2026-02-06 19:14 – Updated: 2026-02-06 19:14
VLAI
Summary
Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json
Details

Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted.

Users on standard Claude Code auto-update received this fix automatically. Users performing manual updates are advised to update to the latest version.

Claude Code thanks hackerone.com/edbr for reporting this issue!

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@anthropic-ai/claude-code"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25725"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-501",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-06T19:14:33Z",
    "nvd_published_at": "2026-02-06T18:16:00Z",
    "severity": "HIGH"
  },
  "details": "Claude Code\u0027s bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. \n\nUsers on standard Claude Code auto-update received this fix automatically. Users performing manual updates are advised to update to the latest version.\n\nClaude Code thanks hackerone.com/edbr for reporting this issue!",
  "id": "GHSA-ff64-7w26-62rf",
  "modified": "2026-02-06T19:14:33Z",
  "published": "2026-02-06T19:14:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25725"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/anthropics/claude-code"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json"
}

GHSA-FG5R-4HGJ-M9V6

Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2022-05-24 00:00
VLAI
Details

Storage Spaces Controller Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-43227.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43235"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Storage Spaces Controller Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-43227.",
  "id": "GHSA-fg5r-4hgj-m9v6",
  "modified": "2022-05-24T00:00:42Z",
  "published": "2021-12-16T00:01:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43235"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43235"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FGJM-PGHW-GF5M

Vulnerability from github – Published: 2023-12-04 03:30 – Updated: 2023-12-07 18:30
VLAI
Details

In telephony service, there is a possible missing permission check. This could lead to remote information disclosure no additional execution privileges needed

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-04T01:15:10Z",
    "severity": "HIGH"
  },
  "details": "In telephony service, there is a possible missing permission check. This could lead to remote information disclosure no additional execution privileges needed",
  "id": "GHSA-fgjm-pghw-gf5m",
  "modified": "2023-12-07T18:30:27Z",
  "published": "2023-12-04T03:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42717"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/https://www.unisoc.com/en_us/secy/announcementDetail/1731138365803266049"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FGQR-H6M4-C3J9

Vulnerability from github – Published: 2022-07-21 00:00 – Updated: 2022-07-28 00:00
VLAI
Details

An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/set_safety.shtml?r=52300 and searching for [var syspasswd].

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-20T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/set_safety.shtml?r=52300 and searching for [var syspasswd].",
  "id": "GHSA-fgqr-h6m4-c3j9",
  "modified": "2022-07-28T00:00:41Z",
  "published": "2022-07-21T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34047"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1sTQdUc12aZvJRFeb5wp8AfPdUEkkU9Sy/view?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/167891/Wavlink-WN530HG4-Password-Disclosure.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FHQ9-P69R-3JQ8

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-07-13 00:01
VLAI
Details

An issue was discovered in 3xLogic Infinias Access Control through 6.7.10708.0, affecting physical security. Users with login credentials assigned to a specific zone can send modified HTTP GET and POST requests, allowing them to view user data such as personal information and Prox card credentials. Also, an authorized user of one zone can send API requests to unlock electronic locks associated with zones they are unauthorized to have access to. They can also create new user logins for zones they were not authorized to access, including the root zone of the software.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41847"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-01T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in 3xLogic Infinias Access Control through 6.7.10708.0, affecting physical security. Users with login credentials assigned to a specific zone can send modified HTTP GET and POST requests, allowing them to view user data such as personal information and Prox card credentials. Also, an authorized user of one zone can send API requests to unlock electronic locks associated with zones they are unauthorized to have access to. They can also create new user logins for zones they were not authorized to access, including the root zone of the software.",
  "id": "GHSA-fhq9-p69r-3jq8",
  "modified": "2022-07-13T00:01:42Z",
  "published": "2022-05-24T19:16:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41847"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/grose88/infinias"
    },
    {
      "type": "WEB",
      "url": "https://grant-rose.com/infinias-access-control-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.3xlogic.com/infinias-access-control"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJVJ-W876-8MC2

Vulnerability from github – Published: 2022-08-29 20:06 – Updated: 2022-09-07 00:01
VLAI
Details

There is a flaw in convert2rhel. convert2rhel passes the Red Hat account password to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the password via the process command line via e.g. htop or ps. The specific impact varies upon the privileges of the Red Hat account in question, but it could affect the integrity, availability, and/or data confidentiality of other systems that are administered by that account. This occurs regardless of how the password is supplied to convert2rhel.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0852"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-29T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "There is a flaw in convert2rhel. convert2rhel passes the Red Hat account password to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the password via the process command line via e.g. htop or ps. The specific impact varies upon the privileges of the Red Hat account in question, but it could affect the integrity, availability, and/or data confidentiality of other systems that are administered by that account. This occurs regardless of how the password is supplied to convert2rhel.",
  "id": "GHSA-fjvj-w876-8mc2",
  "modified": "2022-09-07T00:01:54Z",
  "published": "2022-08-29T20:06:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0852"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oamg/convert2rhel/pull/492"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oamg/convert2rhel/commit/8d72fb030ed31116fdb256b327d299337b000af4"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:1599"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:1617"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:1618"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2022-0852"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060129"
    },
    {
      "type": "WEB",
      "url": "https://issues.redhat.com/browse/RHELC-432"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FMC8-F7RH-X4P9

Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2025-04-20 03:49
VLAI
Details

fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-17087"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-01T08:29:00Z",
    "severity": "MODERATE"
  },
  "details": "fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor\u0027s primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.",
  "id": "GHSA-fmc8-f7rh-x4p9",
  "modified": "2025-04-20T03:49:19Z",
  "published": "2022-05-13T01:03:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17087"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/d/msg/vim_dev/sRT9BtjLWMk/BRtSXNU4BwAJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4582-1"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2017/11/27/2"
    },
    {
      "type": "WEB",
      "url": "http://security.cucumberlinux.com/security/details.php?id=166"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FP29-2P4F-JJCR

Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2022-04-21 00:00
VLAI
Details

Dell PowerScale OneFS, 8.2,x, 9.1.0.x, 9.2.1.x, and 9.3.0.x contain a denial of service vulnerability. A local malicious user could potentially exploit this vulnerability, leading to denial of service/data unavailability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23163"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-12T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Dell PowerScale OneFS, 8.2,x, 9.1.0.x, 9.2.1.x, and 9.3.0.x contain a denial of service vulnerability. A local malicious user could potentially exploit this vulnerability, leading to denial of service/data unavailability.",
  "id": "GHSA-fp29-2p4f-jjcr",
  "modified": "2022-04-21T00:00:46Z",
  "published": "2022-04-13T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23163"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000196009"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FPMW-WFWQ-64G9

Vulnerability from github – Published: 2021-12-10 00:00 – Updated: 2022-04-01 00:01
VLAI
Details

IBM Db2 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. IBM X-Force ID: 199521.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20373"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-09T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Db2 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. IBM X-Force ID: 199521.",
  "id": "GHSA-fpmw-wfwq-64g9",
  "modified": "2022-04-01T00:01:18Z",
  "published": "2021-12-10T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20373"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/195521"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220225-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6523804"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.