CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1252 vulnerabilities reference this CWE, most recent first.
GHSA-FRPC-MXVH-F9W7
Vulnerability from github – Published: 2023-06-14 00:30 – Updated: 2024-04-04 04:48DHCP Server Service Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-29355"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-14T00:15:09Z",
"severity": "MODERATE"
},
"details": "DHCP Server Service Information Disclosure Vulnerability",
"id": "GHSA-frpc-mxvh-f9w7",
"modified": "2024-04-04T04:48:23Z",
"published": "2023-06-14T00:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29355"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29355"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FRXJ-5J27-F8RF
Vulnerability from github – Published: 2021-04-20 16:44 – Updated: 2024-11-18 16:26A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0a1"
},
{
"fixed": "2.7.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0a1"
},
{
"fixed": "2.8.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0a1"
},
{
"fixed": "2.9.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-14905"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-610",
"CWE-668",
"CWE-73"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-05T14:41:23Z",
"nvd_published_at": "2020-03-31T17:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible\u0027s nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.",
"id": "GHSA-frxj-5j27-f8rf",
"modified": "2024-11-18T16:26:11Z",
"published": "2021-04-20T16:44:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14905"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0216"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0218"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14905"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-frxj-5j27-f8rf"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-206.yaml"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5BNCYPQ4BY5QHBCJOAOPANB5FHATW2BR"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Externally Controlled Reference to a Resource in Another Sphere, Improper Input Validation, and External Control of File Name or Path in Ansible"
}
GHSA-FW34-2587-PPRF
Vulnerability from github – Published: 2021-12-09 00:00 – Updated: 2021-12-11 00:01Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Firefox before versions 94 and ESR 91.3 did not implement them. This could have caused sensitive data to be recorded to a user's Microsoft account. This bug only affects Firefox for Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected.. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.
{
"affected": [],
"aliases": [
"CVE-2021-38505"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-08T22:15:00Z",
"severity": "MODERATE"
},
"details": "Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Firefox before versions 94 and ESR 91.3 did not implement them. This could have caused sensitive data to be recorded to a user\u0027s Microsoft account. *This bug only affects Firefox for Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected.*. This vulnerability affects Firefox \u003c 94, Thunderbird \u003c 91.3, and Firefox ESR \u003c 91.3.",
"id": "GHSA-fw34-2587-pprf",
"modified": "2021-12-11T00:01:05Z",
"published": "2021-12-09T00:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38505"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1730194"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-48"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-49"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-50"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FW3P-P4PX-MP7P
Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-01 00:01IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 194891.
{
"affected": [],
"aliases": [
"CVE-2021-20355"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-24T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 194891.",
"id": "GHSA-fw3p-p4px-mp7p",
"modified": "2022-07-01T00:01:14Z",
"published": "2022-06-25T00:00:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20355"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/194891"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6597583"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FW6M-68FR-VCF7
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-07-13 00:01An issue was discovered in Joomla! 3.0.0 through 3.9.24. Incorrect ACL checks could allow unauthorized change of the category for an article.
{
"affected": [],
"aliases": [
"CVE-2021-26027"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-04T18:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Joomla! 3.0.0 through 3.9.24. Incorrect ACL checks could allow unauthorized change of the category for an article.",
"id": "GHSA-fw6m-68fr-vcf7",
"modified": "2022-07-13T00:01:11Z",
"published": "2022-05-24T17:43:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26027"
},
{
"type": "WEB",
"url": "https://developer.joomla.org/security-centre/847-20210307-core-acl-violation-within-com-content-frontend-editing.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FX55-2GC2-Q86H
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-07-13 00:01Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information via the Ticket Article detail view.
{
"affected": [],
"aliases": [
"CVE-2021-35301"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-28T20:15:00Z",
"severity": "MODERATE"
},
"details": "Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information via the Ticket Article detail view.",
"id": "GHSA-fx55-2gc2-q86h",
"modified": "2022-07-13T00:01:28Z",
"published": "2022-05-24T19:06:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35301"
},
{
"type": "WEB",
"url": "https://zammad.com/en/advisories/zaa-2021-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FXHJ-VJVM-J527
Vulnerability from github – Published: 2022-03-10 00:00 – Updated: 2022-03-17 00:02Remote Desktop Protocol Client Information Disclosure Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-24503"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-09T17:15:00Z",
"severity": "MODERATE"
},
"details": "Remote Desktop Protocol Client Information Disclosure Vulnerability.",
"id": "GHSA-fxhj-vjvm-j527",
"modified": "2022-03-17T00:02:14Z",
"published": "2022-03-10T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24503"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24503"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24503"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FXWJ-V664-WV5G
Vulnerability from github – Published: 2022-04-20 00:00 – Updated: 2022-04-28 19:49Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server/v6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1385"
],
"database_specific": {
"cwe_ids": [
"CWE-664",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-22T20:57:43Z",
"nvd_published_at": "2022-04-19T21:15:00Z",
"severity": "MODERATE"
},
"details": "Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.",
"id": "GHSA-fxwj-v664-wv5g",
"modified": "2022-04-28T19:49:33Z",
"published": "2022-04-20T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1385"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1486820"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost-server"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Control of a Resource Through its Lifetime in Mattermost"
}
GHSA-G237-MM39-6J87
Vulnerability from github – Published: 2023-02-01 06:30 – Updated: 2023-02-08 21:30Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
{
"affected": [],
"aliases": [
"CVE-2022-46756"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-01T06:15:00Z",
"severity": "MODERATE"
},
"details": "Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container\u0027s underlying OS. Exploitation may lead to a system take over by an attacker.",
"id": "GHSA-g237-mm39-6j87",
"modified": "2023-02-08T21:30:21Z",
"published": "2023-02-01T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46756"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000206943"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G25V-CH2Q-JP7C
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-07-13 00:01A memory initialization issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5. Processing maliciously crafted web content may result in the disclosure of process memory.
{
"affected": [],
"aliases": [
"CVE-2021-1820"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-08T15:15:00Z",
"severity": "MODERATE"
},
"details": "A memory initialization issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5. Processing maliciously crafted web content may result in the disclosure of process memory.",
"id": "GHSA-g25v-ch2q-jp7c",
"modified": "2022-07-13T00:01:01Z",
"published": "2022-05-24T19:13:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1820"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212317"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212323"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212324"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212325"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.