CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1252 vulnerabilities reference this CWE, most recent first.
GHSA-FCR8-4R9F-R66M
Vulnerability from github – Published: 2025-01-17 16:29 – Updated: 2025-01-17 21:56Impact
Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of enable_subdomains = False.
1915 disables a protection which would allow user Alice to craft a page embedding formgrader in an IFrame. If Bob visits that page, his credentials will be sent and the formgrader page loaded. Because Alice's page is on the same Origin as the formgrader iframe, Javasript on Alice's page has full access to the contents of the page served by formgrader using Bob's credentials.
Workarounds
- Disable
frame-ancestors: self, or - enable per-user and per-service subdomains with
JupyterHub.enable_subdomains = True(then even if embedding in an IFrame is allowed, the host page does not have access to the contents of the frame).
References
JupyterHub documentation on why and when frame-ancestors: self is insecure, and why it was disabled by default: https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#:~:text=frame-ancestors
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "nbgrader"
},
"ranges": [
{
"events": [
{
"introduced": "0.9.4"
},
{
"fixed": "0.9.5"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.9.4"
]
}
],
"aliases": [
"CVE-2025-23205"
],
"database_specific": {
"cwe_ids": [
"CWE-1021",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-17T16:29:16Z",
"nvd_published_at": "2025-01-17T21:15:11Z",
"severity": "HIGH"
},
"details": "### Impact\n\nEnabling frame-ancestors: \u0027self\u0027 grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of `enable_subdomains = False`.\n\n#1915 disables a protection which would allow user Alice to craft a page embedding formgrader in an IFrame. If Bob visits that page, his credentials will be sent and the formgrader page loaded. Because Alice\u0027s page is on the same Origin as the formgrader iframe, Javasript on Alice\u0027s page has _full access_ to the contents of the page served by formgrader using Bob\u0027s credentials.\n\n### Workarounds\n\n- Disable `frame-ancestors: self`, or\n- enable per-user and per-service subdomains with `JupyterHub.enable_subdomains = True` (then even if embedding in an IFrame is allowed, the host page does not have access to the contents of the frame).\n\n### References\n\nJupyterHub documentation on why and when `frame-ancestors: self` is insecure, and why it was disabled by default: https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#:~:text=frame-ancestors",
"id": "GHSA-fcr8-4r9f-r66m",
"modified": "2025-01-17T21:56:51Z",
"published": "2025-01-17T16:29:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jupyter/nbgrader/security/advisories/GHSA-fcr8-4r9f-r66m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23205"
},
{
"type": "WEB",
"url": "https://github.com/jupyter/nbgrader/pull/1915"
},
{
"type": "WEB",
"url": "https://github.com/jupyter/nbgrader/commit/73e137511ac1dc02e95790d4fd6d4d88dab42325"
},
{
"type": "PACKAGE",
"url": "https://github.com/jupyter/nbgrader"
},
{
"type": "WEB",
"url": "https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "nbgrader\u0027s `frame-ancestors: self` grants all users access to formgrader"
}
GHSA-FF64-7W26-62RF
Vulnerability from github – Published: 2026-02-06 19:14 – Updated: 2026-02-06 19:14Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted.
Users on standard Claude Code auto-update received this fix automatically. Users performing manual updates are advised to update to the latest version.
Claude Code thanks hackerone.com/edbr for reporting this issue!
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@anthropic-ai/claude-code"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25725"
],
"database_specific": {
"cwe_ids": [
"CWE-501",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T19:14:33Z",
"nvd_published_at": "2026-02-06T18:16:00Z",
"severity": "HIGH"
},
"details": "Claude Code\u0027s bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. \n\nUsers on standard Claude Code auto-update received this fix automatically. Users performing manual updates are advised to update to the latest version.\n\nClaude Code thanks hackerone.com/edbr for reporting this issue!",
"id": "GHSA-ff64-7w26-62rf",
"modified": "2026-02-06T19:14:33Z",
"published": "2026-02-06T19:14:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25725"
},
{
"type": "PACKAGE",
"url": "https://github.com/anthropics/claude-code"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json"
}
GHSA-FG5R-4HGJ-M9V6
Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2022-05-24 00:00Storage Spaces Controller Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-43227.
{
"affected": [],
"aliases": [
"CVE-2021-43235"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T15:15:00Z",
"severity": "MODERATE"
},
"details": "Storage Spaces Controller Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-43227.",
"id": "GHSA-fg5r-4hgj-m9v6",
"modified": "2022-05-24T00:00:42Z",
"published": "2021-12-16T00:01:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43235"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43235"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FGJM-PGHW-GF5M
Vulnerability from github – Published: 2023-12-04 03:30 – Updated: 2023-12-07 18:30In telephony service, there is a possible missing permission check. This could lead to remote information disclosure no additional execution privileges needed
{
"affected": [],
"aliases": [
"CVE-2023-42717"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-04T01:15:10Z",
"severity": "HIGH"
},
"details": "In telephony service, there is a possible missing permission check. This could lead to remote information disclosure no additional execution privileges needed",
"id": "GHSA-fgjm-pghw-gf5m",
"modified": "2023-12-07T18:30:27Z",
"published": "2023-12-04T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42717"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/https://www.unisoc.com/en_us/secy/announcementDetail/1731138365803266049"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FGQR-H6M4-C3J9
Vulnerability from github – Published: 2022-07-21 00:00 – Updated: 2022-07-28 00:00An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/set_safety.shtml?r=52300 and searching for [var syspasswd].
{
"affected": [],
"aliases": [
"CVE-2022-34047"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-20T17:15:00Z",
"severity": "HIGH"
},
"details": "An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/set_safety.shtml?r=52300 and searching for [var syspasswd].",
"id": "GHSA-fgqr-h6m4-c3j9",
"modified": "2022-07-28T00:00:41Z",
"published": "2022-07-21T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34047"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1sTQdUc12aZvJRFeb5wp8AfPdUEkkU9Sy/view?usp=sharing"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/167891/Wavlink-WN530HG4-Password-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FHQ9-P69R-3JQ8
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-07-13 00:01An issue was discovered in 3xLogic Infinias Access Control through 6.7.10708.0, affecting physical security. Users with login credentials assigned to a specific zone can send modified HTTP GET and POST requests, allowing them to view user data such as personal information and Prox card credentials. Also, an authorized user of one zone can send API requests to unlock electronic locks associated with zones they are unauthorized to have access to. They can also create new user logins for zones they were not authorized to access, including the root zone of the software.
{
"affected": [],
"aliases": [
"CVE-2021-41847"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-01T23:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in 3xLogic Infinias Access Control through 6.7.10708.0, affecting physical security. Users with login credentials assigned to a specific zone can send modified HTTP GET and POST requests, allowing them to view user data such as personal information and Prox card credentials. Also, an authorized user of one zone can send API requests to unlock electronic locks associated with zones they are unauthorized to have access to. They can also create new user logins for zones they were not authorized to access, including the root zone of the software.",
"id": "GHSA-fhq9-p69r-3jq8",
"modified": "2022-07-13T00:01:42Z",
"published": "2022-05-24T19:16:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41847"
},
{
"type": "WEB",
"url": "https://gitlab.com/grose88/infinias"
},
{
"type": "WEB",
"url": "https://grant-rose.com/infinias-access-control-vulnerability"
},
{
"type": "WEB",
"url": "https://www.3xlogic.com/infinias-access-control"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FJVJ-W876-8MC2
Vulnerability from github – Published: 2022-08-29 20:06 – Updated: 2022-09-07 00:01There is a flaw in convert2rhel. convert2rhel passes the Red Hat account password to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the password via the process command line via e.g. htop or ps. The specific impact varies upon the privileges of the Red Hat account in question, but it could affect the integrity, availability, and/or data confidentiality of other systems that are administered by that account. This occurs regardless of how the password is supplied to convert2rhel.
{
"affected": [],
"aliases": [
"CVE-2022-0852"
],
"database_specific": {
"cwe_ids": [
"CWE-359",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-29T15:15:00Z",
"severity": "MODERATE"
},
"details": "There is a flaw in convert2rhel. convert2rhel passes the Red Hat account password to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the password via the process command line via e.g. htop or ps. The specific impact varies upon the privileges of the Red Hat account in question, but it could affect the integrity, availability, and/or data confidentiality of other systems that are administered by that account. This occurs regardless of how the password is supplied to convert2rhel.",
"id": "GHSA-fjvj-w876-8mc2",
"modified": "2022-09-07T00:01:54Z",
"published": "2022-08-29T20:06:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0852"
},
{
"type": "WEB",
"url": "https://github.com/oamg/convert2rhel/pull/492"
},
{
"type": "WEB",
"url": "https://github.com/oamg/convert2rhel/commit/8d72fb030ed31116fdb256b327d299337b000af4"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:1599"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:1617"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:1618"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-0852"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060129"
},
{
"type": "WEB",
"url": "https://issues.redhat.com/browse/RHELC-432"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FMC8-F7RH-X4P9
Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2025-04-20 03:49fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.
{
"affected": [],
"aliases": [
"CVE-2017-17087"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-01T08:29:00Z",
"severity": "MODERATE"
},
"details": "fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor\u0027s primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.",
"id": "GHSA-fmc8-f7rh-x4p9",
"modified": "2025-04-20T03:49:19Z",
"published": "2022-05-13T01:03:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17087"
},
{
"type": "WEB",
"url": "https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8"
},
{
"type": "WEB",
"url": "https://groups.google.com/d/msg/vim_dev/sRT9BtjLWMk/BRtSXNU4BwAJ"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00003.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4582-1"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2017/11/27/2"
},
{
"type": "WEB",
"url": "http://security.cucumberlinux.com/security/details.php?id=166"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FP29-2P4F-JJCR
Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2022-04-21 00:00Dell PowerScale OneFS, 8.2,x, 9.1.0.x, 9.2.1.x, and 9.3.0.x contain a denial of service vulnerability. A local malicious user could potentially exploit this vulnerability, leading to denial of service/data unavailability.
{
"affected": [],
"aliases": [
"CVE-2022-23163"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-12T18:15:00Z",
"severity": "MODERATE"
},
"details": "Dell PowerScale OneFS, 8.2,x, 9.1.0.x, 9.2.1.x, and 9.3.0.x contain a denial of service vulnerability. A local malicious user could potentially exploit this vulnerability, leading to denial of service/data unavailability.",
"id": "GHSA-fp29-2p4f-jjcr",
"modified": "2022-04-21T00:00:46Z",
"published": "2022-04-13T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23163"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000196009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FPMW-WFWQ-64G9
Vulnerability from github – Published: 2021-12-10 00:00 – Updated: 2022-04-01 00:01IBM Db2 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. IBM X-Force ID: 199521.
{
"affected": [],
"aliases": [
"CVE-2021-20373"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-09T17:15:00Z",
"severity": "HIGH"
},
"details": "IBM Db2 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. IBM X-Force ID: 199521.",
"id": "GHSA-fpmw-wfwq-64g9",
"modified": "2022-04-01T00:01:18Z",
"published": "2021-12-10T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20373"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/195521"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220225-0005"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6523804"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.