Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1252 vulnerabilities reference this CWE, most recent first.

GHSA-JJ4F-P7VV-J4V9

Vulnerability from github – Published: 2021-06-16 17:51 – Updated: 2022-06-06 18:06
VLAI
Summary
Arbitrary code execution in Apache Druid
Details

Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.druid:druid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.20.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-26919"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-31T20:50:36Z",
    "nvd_published_at": "2021-03-30T08:15:00Z",
    "severity": "HIGH"
  },
  "details": "Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2",
  "id": "GHSA-jj4f-p7vv-j4v9",
  "modified": "2022-06-06T18:06:44Z",
  "published": "2021-06-16T17:51:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26919"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/druid/commit/48953e3508967f5156c69676432b5d4dd25ea678"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/druid"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/druid/releases/tag/druid-0.20.2"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f@%3Cdev.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r7a531ec123570cb7875ff991cf115f99e9ef99a48b3cf3fa4f9d9864@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra85fa7d31f9bec1148ffd2e4030934927caa8bff89bca9f61f75e697@%3Cdev.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/re0910cf4c784897774427fecd95912fb565a6bd06d924a55e70bbbfc@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/re4c5deb0aae4bace69844d15c9fd1699e907ebfee93bc3926474d110@%3Cdev.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf3ea2a4018e87e6c45d36cf8479af7727dcc276edabd2f7cf59e0c5f@%3Cdev.druid.apache.org%3E"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Arbitrary code execution in Apache Druid"
}

GHSA-JJ68-7H34-V267

Vulnerability from github – Published: 2022-12-26 21:30 – Updated: 2025-04-14 18:31
VLAI
Details

In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), an attacker can identify valid usernames.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-26T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), an attacker can identify valid usernames.",
  "id": "GHSA-jj68-7h34-v267",
  "modified": "2025-04-14T18:31:42Z",
  "published": "2022-12-26T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9011"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2021-061"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJH6-7R67-W858

Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2023-08-08 15:31
VLAI
Details

In clear_data_dlg_text of strings.xml, there is a possible situation when "Clear storage" functionality sets up the wrong security/privacy expectations due to a misleading message. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-193890833

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39631"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-11T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In clear_data_dlg_text of strings.xml, there is a possible situation when \"Clear storage\" functionality sets up the wrong security/privacy expectations due to a misleading message. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-193890833",
  "id": "GHSA-jjh6-7r67-w858",
  "modified": "2023-08-08T15:31:43Z",
  "published": "2022-02-12T00:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39631"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2022-02-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJVP-WFP8-RV69

Vulnerability from github – Published: 2023-01-06 21:30 – Updated: 2023-01-12 20:58
VLAI
Summary
globalpom-utils has Insecure Temporary File
Details

A vulnerability has been found in devent globalpom-utils up to 4.5.0 and classified as critical. This vulnerability affects the function createTmpDir of the file globalpomutils-fileresources/src/main/java/com/anrisoftware/globalpom/fileresourcemanager/FileResourceManagerProvider.java. The manipulation leads to insecure temporary file. The attack can be initiated remotely. Upgrading to version 4.5.1 can address this issue. The name of the patch is 77a820bac2f68e662ce261ecb050c643bd7ee560. It is recommended to upgrade the affected component. VDB-217570 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.anrisoftware.globalpom:globalpomutils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-25068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-12T20:58:04Z",
    "nvd_published_at": "2023-01-06T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability has been found in devent globalpom-utils up to 4.5.0 and classified as critical. This vulnerability affects the function `createTmpDir` of the file `globalpomutils-fileresources/src/main/java/com/anrisoftware/globalpom/fileresourcemanager/FileResourceManagerProvider.java`. The manipulation leads to insecure temporary file. The attack can be initiated remotely. Upgrading to version 4.5.1 can address this issue. The name of the patch is 77a820bac2f68e662ce261ecb050c643bd7ee560. It is recommended to upgrade the affected component. VDB-217570 is the identifier assigned to this vulnerability.",
  "id": "GHSA-jjvp-wfp8-rv69",
  "modified": "2023-01-12T20:58:04Z",
  "published": "2023-01-06T21:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25068"
    },
    {
      "type": "WEB",
      "url": "https://github.com/devent/globalpom-utils/commit/77a820bac2f68e662ce261ecb050c643bd7ee560"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/devent/globalpom-utils"
    },
    {
      "type": "WEB",
      "url": "https://github.com/devent/globalpom-utils/releases/tag/globalpomutils-4.5.1"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217570"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217570"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "globalpom-utils has Insecure Temporary File"
}

GHSA-JJXQ-FF2G-95VH

Vulnerability from github – Published: 2024-11-06 19:52 – Updated: 2024-11-12 19:43
VLAI
Summary
Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled
Details

Description

In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the __isset() method is now called after the security check. This is a BC break.

Resolution

The sandbox mode now ensures access to array-like's properties is allowed.

The patch for this issue is available here for the 3.11.x branch, and here for the 3.x branch.

Credits

We would like to thank Jamie Schouten for reporting the issue and Nicolas Grekas for providing the fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "twig/twig"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.11.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "twig/twig"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.12"
            },
            {
              "fixed": "3.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-51755"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-06T19:52:55Z",
    "nvd_published_at": "2024-11-06T20:15:06Z",
    "severity": "LOW"
  },
  "details": "### Description\n\nIn a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy.\nThey are now checked via the property policy and the `__isset()` method is now called after the security check.\n**This is a BC break.**\n\n### Resolution\n\nThe sandbox mode now ensures access to array-like\u0027s properties is allowed.\n\nThe patch for this issue is available [here](https://github.com/twigphp/Twig/commit/ec39a9dccc5fb4eaaba55e5d79a6f84a8dd8b69d) for the 3.11.x branch, and [here](https://github.com/twigphp/Twig/commit/b957e5a44cc0075d04ccff52f8fa9d8e6db3e3a0) for the 3.x branch.\n\n### Credits\n\nWe would like to thank Jamie Schouten for reporting the issue and Nicolas Grekas for providing the fix.\n",
  "id": "GHSA-jjxq-ff2g-95vh",
  "modified": "2024-11-12T19:43:00Z",
  "published": "2024-11-06T19:52:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51755"
    },
    {
      "type": "WEB",
      "url": "https://github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51755.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/twigphp/Twig"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled"
}

GHSA-JM74-36VR-69GX

Vulnerability from github – Published: 2023-08-21 18:31 – Updated: 2024-04-04 07:04
VLAI
Details

The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-15T09:15:09Z",
    "severity": "MODERATE"
  },
  "details": "The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the \u0027admin_notice\u0027 function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges.",
  "id": "GHSA-jm74-36vr-69gx",
  "modified": "2024-04-04T07:04:54Z",
  "published": "2023-08-21T18:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2916"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/iwp-client/tags/1.11.1/core.class.php#L365"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/2925897/iwp-client#file4"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa157c80-447f-4406-9e49-9cc6208b7b19?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JP2P-37CW-QG8C

Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2022-05-13 01:46
VLAI
Details

The Norwegian Air Shuttle (aka norwegian.com) airline kiosk allows physically proximate attackers to bypass the intended "Please select booking identification" UI step, and obtain administrative privileges and network access on the underlying Windows OS, by accessing a touch-screen print icon to manipulate the print dialog.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5634"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-09T16:59:00Z",
    "severity": "HIGH"
  },
  "details": "The Norwegian Air Shuttle (aka norwegian.com) airline kiosk allows physically proximate attackers to bypass the intended \"Please select booking identification\" UI step, and obtain administrative privileges and network access on the underlying Windows OS, by accessing a touch-screen print icon to manipulate the print dialog.",
  "id": "GHSA-jp2p-37cw-qg8c",
  "modified": "2022-05-13T01:46:13Z",
  "published": "2022-05-13T01:46:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5634"
    },
    {
      "type": "WEB",
      "url": "https://bugemot.com/bug/190"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/watch?v=2j9gP5Qu2WA"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/watch?v=WSQW0ipnXQg"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96230"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JPW2-CWXG-4QV8

Vulnerability from github – Published: 2021-11-27 00:00 – Updated: 2022-04-01 00:01
VLAI
Details

In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44225"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-26T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property",
  "id": "GHSA-jpw2-cwxg-4qv8",
  "modified": "2022-04-01T00:01:19Z",
  "published": "2021-11-27T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44225"
    },
    {
      "type": "WEB",
      "url": "https://github.com/acassen/keepalived/pull/2063"
    },
    {
      "type": "WEB",
      "url": "https://github.com/acassen/keepalived/commit/7977fec0be89ae6fe87405b3f8da2f0b5e415e3d"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5226RYNMNB7FL4MSJDIBBGPUWH6LMRYV"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6O2R6EXURJQFPFPYFWRCZLUYVWQCLSZM"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JPWR-PHPW-6HPW

Vulnerability from github – Published: 2023-04-18 21:30 – Updated: 2024-04-04 03:32
VLAI
Details

Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.4 allows local attacker to retrieve passwords via reading log files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-18T19:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.4 allows local attacker to retrieve passwords via reading log files.",
  "id": "GHSA-jpwr-phpw-6hpw",
  "modified": "2024-04-04T03:32:18Z",
  "published": "2023-04-18T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22307"
    },
    {
      "type": "WEB",
      "url": "https://checkmk.com/werk/9522"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQMM-C922-3758

Vulnerability from github – Published: 2022-05-13 01:39 – Updated: 2022-05-13 01:39
VLAI
Details

Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary directory, where having LocalisationCache directory default to system tmp directory is insecure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-0367"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-13T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary directory, where having LocalisationCache directory default to system tmp directory is insecure.",
  "id": "GHSA-jqmm-c922-3758",
  "modified": "2022-05-13T01:39:56Z",
  "published": "2022-05-13T01:39:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0367"
    },
    {
      "type": "WEB",
      "url": "https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T161453"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2017-0367"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.