CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-M67Q-JHV3-98CV
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-07-13 00:01A logic issue was addressed with improved restrictions. This issue is fixed in iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5. A local user may be able to modify protected parts of the file system.
{
"affected": [],
"aliases": [
"CVE-2021-1822"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-08T15:15:00Z",
"severity": "MODERATE"
},
"details": "A logic issue was addressed with improved restrictions. This issue is fixed in iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5. A local user may be able to modify protected parts of the file system.",
"id": "GHSA-m67q-jhv3-98cv",
"modified": "2022-07-13T00:01:01Z",
"published": "2022-05-24T19:13:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1822"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212317"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212323"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212324"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M68V-XWF5-G5MH
Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2023-08-08 15:31In hasGrantedPolicy of DevicePolicyManagerService.java, there is a possible information disclosure about the device owner, profile owner, or device admin due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-192247339
{
"affected": [],
"aliases": [
"CVE-2021-0986"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T19:15:00Z",
"severity": "MODERATE"
},
"details": "In hasGrantedPolicy of DevicePolicyManagerService.java, there is a possible information disclosure about the device owner, profile owner, or device admin due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-192247339",
"id": "GHSA-m68v-xwf5-g5mh",
"modified": "2023-08-08T15:31:25Z",
"published": "2021-12-16T00:01:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0986"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M6M9-JXQ4-5486
Vulnerability from github – Published: 2023-03-14 18:30 – Updated: 2023-03-14 18:30Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-24870"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-14T17:15:00Z",
"severity": "MODERATE"
},
"details": "Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability",
"id": "GHSA-m6m9-jxq4-5486",
"modified": "2023-03-14T18:30:20Z",
"published": "2023-03-14T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24870"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24870"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M7PF-2QJX-4MQR
Vulnerability from github – Published: 2022-04-20 00:00 – Updated: 2022-04-28 00:00An Access Control vulnerability exists in Desire2Learn/D2L Learning Management System (LMS) 20.21.7 via the quizzing feature, which allows a remote malicious user to disable the Disable right click control.
{
"affected": [],
"aliases": [
"CVE-2021-43129"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-19T13:15:00Z",
"severity": "MODERATE"
},
"details": "An Access Control vulnerability exists in Desire2Learn/D2L Learning Management System (LMS) 20.21.7 via the quizzing feature, which allows a remote malicious user to disable the Disable right click control.",
"id": "GHSA-m7pf-2qjx-4mqr",
"modified": "2022-04-28T00:00:43Z",
"published": "2022-04-20T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43129"
},
{
"type": "WEB",
"url": "https://community.brightspace.com/s/article/retirement-notice-disable-right-click"
},
{
"type": "WEB",
"url": "https://github.com/Skotizo/CVE-2021-43129"
},
{
"type": "WEB",
"url": "https://www.d2l.com/learning-management-system-lms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M7V2-7GXM-VC2V
Vulnerability from github – Published: 2026-05-27 21:13 – Updated: 2026-05-27 21:13Description
Symfony\Bridge\Monolog\Command\ServerLogCommand (the server:log console command) is a development-time helper that opens a TCP listener and displays log records pushed to it by the application's logging pipeline. Two unsafe defaults combine into a remotely reachable PHP object-deserialization sink:
- The listener binds to
0.0.0.0:9911by default; it accepts connections on every interface, not only loopback. - Each received frame is processed as
unserialize(base64_decode($message))without anallowed_classesallowlist, without authentication, and without any integrity check. The decoded value is then passed todisplayLog(..., array $record)which assumes (without validating) that the result is an array.
Any host that can reach TCP port 9911 on a machine running server:log can therefore submit attacker-chosen serialized PHP payloads. The minimum impact is an unauthenticated denial of service (sending a non-array, e.g. serialize(new stdClass()), crashes the listener with a type error). Object injection with magic-method side effects (__wakeup() / __destruct() / etc.) is reachable before the array type-check fires; full remote code execution is environment-dependent and contingent on usable gadget chains in the autoload set of the target process.
Resolution
The server:log command no longer binds to all interfaces by default: the default --host is now 127.0.0.1:9911, requiring explicit opt-in to accept off-host traffic. Message decoding is gated by an unserialize() allowlist restricted to the Symfony\Component\VarDumper\Caster\* and Symfony\Component\VarDumper\Cloner\* classes that legitimately appear inside dumped log records; any other class is rejected and the record discarded.
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Toàn Thắng and Sam Sanoop for reporting the issue and Nicolas Grekas for fixing it.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/monolog-bridge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/monolog-bridge"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/monolog-bridge"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/monolog-bridge"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45077"
],
"database_specific": {
"cwe_ids": [
"CWE-502",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T21:13:29Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Description\n\n`Symfony\\Bridge\\Monolog\\Command\\ServerLogCommand` (the `server:log` console command) is a development-time helper that opens a TCP listener and displays log records pushed to it by the application\u0027s logging pipeline. Two unsafe defaults combine into a remotely reachable PHP object-deserialization sink:\n\n1. The listener binds to `0.0.0.0:9911` by default; it accepts connections on every interface, not only loopback.\n2. Each received frame is processed as `unserialize(base64_decode($message))` without an `allowed_classes` allowlist, without authentication, and without any integrity check. The decoded value is then passed to `displayLog(..., array $record)` which assumes (without validating) that the result is an array.\n\nAny host that can reach TCP port 9911 on a machine running `server:log` can therefore submit attacker-chosen serialized PHP payloads. The minimum impact is an unauthenticated denial of service (sending a non-array, e.g. `serialize(new stdClass())`, crashes the listener with a type error). Object injection with magic-method side effects (`__wakeup()` / `__destruct()` / etc.) is reachable before the array type-check fires; full remote code execution is environment-dependent and contingent on usable gadget chains in the autoload set of the target process.\n\n### Resolution\n\nThe `server:log` command no longer binds to all interfaces by default: the default `--host` is now `127.0.0.1:9911`, requiring explicit opt-in to accept off-host traffic. Message decoding is gated by an `unserialize()` allowlist restricted to the `Symfony\\Component\\VarDumper\\Caster\\*` and `Symfony\\Component\\VarDumper\\Cloner\\*` classes that legitimately appear inside dumped log records; any other class is rejected and the record discarded.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/0891b2f293896c488e26943dc034334364b77fc4) for branch 5.4.\n\n### Credits\n\nSymfony would like to thank To\u00e0n Th\u1eafng and Sam Sanoop for reporting the issue and Nicolas Grekas for fixing it.",
"id": "GHSA-m7v2-7gxm-vc2v",
"modified": "2026-05-27T21:13:29Z",
"published": "2026-05-27T21:13:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-m7v2-7gxm-vc2v"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/0891b2f293896c488e26943dc034334364b77fc4"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/monolog-bridge/CVE-2026-45077.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45077.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2026-45077"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener"
}
GHSA-M879-9XPQ-PPWC
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-07-13 00:01Istio before 1.9.6 and 1.10.x before 1.10.2 has Incorrect Access Control.
{
"affected": [],
"aliases": [
"CVE-2021-34824"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-29T14:15:00Z",
"severity": "HIGH"
},
"details": "Istio before 1.9.6 and 1.10.x before 1.10.2 has Incorrect Access Control.",
"id": "GHSA-m879-9xpq-ppwc",
"modified": "2022-07-13T00:01:27Z",
"published": "2022-05-24T19:06:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34824"
},
{
"type": "WEB",
"url": "https://github.com/istio/istio/releases"
},
{
"type": "WEB",
"url": "https://istio.io/latest/news/security/istio-security-2021-007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M8J6-RG22-WW2F
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-07-13 00:01An information disclosure vulnerability in GitLab EE versions 13.11 and later allowed a project owner to leak information about the members' on-call rotations in other projects
{
"affected": [],
"aliases": [
"CVE-2021-22215"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-08T16:15:00Z",
"severity": "HIGH"
},
"details": "An information disclosure vulnerability in GitLab EE versions 13.11 and later allowed a project owner to leak information about the members\u0027 on-call rotations in other projects",
"id": "GHSA-m8j6-rg22-ww2f",
"modified": "2022-07-13T00:01:09Z",
"published": "2022-05-24T19:04:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22215"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22215.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/328668"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M8WF-FQCM-6693
Vulnerability from github – Published: 2023-06-02 18:30 – Updated: 2024-04-04 04:30Under certain circumstances, a ServiceWorker's offline cache may have leaked to the file system when using private browsing mode. This vulnerability affects Firefox < 111.
{
"affected": [],
"aliases": [
"CVE-2023-25750"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-02T17:15:11Z",
"severity": "MODERATE"
},
"details": "Under certain circumstances, a ServiceWorker\u0027s offline cache may have leaked to the file system when using private browsing mode. This vulnerability affects Firefox \u003c 111.",
"id": "GHSA-m8wf-fqcm-6693",
"modified": "2024-04-04T04:30:22Z",
"published": "2023-06-02T18:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25750"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1814733"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2023-09"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M93Q-8WXV-XGC5
Vulnerability from github – Published: 2022-02-25 00:01 – Updated: 2023-08-08 15:31seatd-launch in seatd 0.6.x before 0.6.4 allows removing files with escalated privileges when installed setuid root. The attack vector is a user-supplied socket pathname.
{
"affected": [],
"aliases": [
"CVE-2022-25643"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-24T15:15:00Z",
"severity": "CRITICAL"
},
"details": "seatd-launch in seatd 0.6.x before 0.6.4 allows removing files with escalated privileges when installed setuid root. The attack vector is a user-supplied socket pathname.",
"id": "GHSA-m93q-8wxv-xgc5",
"modified": "2023-08-08T15:31:44Z",
"published": "2022-02-25T00:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25643"
},
{
"type": "WEB",
"url": "https://github.com/kennylevinsen/seatd/commit/10658dc5439db429af0088295a051c53925a4416"
},
{
"type": "WEB",
"url": "https://github.com/kennylevinsen/seatd/commit/7cffe0797fdb17a9c08922339465b1b187394335"
},
{
"type": "WEB",
"url": "https://github.com/kennylevinsen/seatd/compare/0.6.3...0.6.4"
},
{
"type": "WEB",
"url": "https://github.com/kennylevinsen/seatd/tags"
},
{
"type": "WEB",
"url": "https://lists.sr.ht/~kennylevinsen/seatd-announce/%3CETEO7R.QG8B1KGD531R1%40kl.wtf%3E"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M95M-2XC3-P525
Vulnerability from github – Published: 2021-12-01 00:00 – Updated: 2022-08-10 00:00Incorrect Access Control in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker to view the Shape Editor and Settings, which are functionality for higher privileged users, via identifying said components in the front-end source code or other means.
{
"affected": [],
"aliases": [
"CVE-2021-42116"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-30T12:15:00Z",
"severity": "MODERATE"
},
"details": "Incorrect Access Control in Web Applications operating on Business-DNA Solutions GmbH\u00e2\u20ac\u2122s TopEase\u00c2\u00ae Platform Version \u003c= 7.1.27 allows an authenticated remote attacker to view the Shape Editor and Settings, which are functionality for higher privileged users, via identifying said components in the front-end source code or other means.",
"id": "GHSA-m95m-2xc3-p525",
"modified": "2022-08-10T00:00:23Z",
"published": "2021-12-01T00:00:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42116"
},
{
"type": "WEB",
"url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.