CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-P4MM-5M49-MH3J
Vulnerability from github – Published: 2026-04-28 00:31 – Updated: 2026-04-28 00:31OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using $ENV in jq programs to access sensitive environment variables that should be restricted.
{
"affected": [],
"aliases": [
"CVE-2026-41368"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-28T00:16:26Z",
"severity": "HIGH"
},
"details": "OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using $ENV in jq programs to access sensitive environment variables that should be restricted.",
"id": "GHSA-p4mm-5m49-mh3j",
"modified": "2026-04-28T00:31:41Z",
"published": "2026-04-28T00:31:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jccr-rrw2-vc8h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41368"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-disclosure-via-jq-env-filter-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P4PQ-252W-Q8GG
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-10-27 19:00Adobe Captivate version 11.5.5 (and earlier) is affected by an Creation of Temporary File In Directory With Incorrect Permissions vulnerability that could result in privilege escalation in the context of the current user. The attacker must plant a malicious file in a particular location of the victim's machine. Exploitation of this issue requires user interaction in that a victim must launch the Captivate Installer.
{
"affected": [],
"aliases": [
"CVE-2021-36002"
],
"database_specific": {
"cwe_ids": [
"CWE-379",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-01T15:15:00Z",
"severity": "MODERATE"
},
"details": "Adobe Captivate version 11.5.5 (and earlier) is affected by an Creation of Temporary File In Directory With Incorrect Permissions vulnerability that could result in privilege escalation in the context of the current user. The attacker must plant a malicious file in a particular location of the victim\u0027s machine. Exploitation of this issue requires user interaction in that a victim must launch the Captivate Installer.",
"id": "GHSA-p4pq-252w-q8gg",
"modified": "2022-10-27T19:00:40Z",
"published": "2022-05-24T19:12:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36002"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/captivate/apsb21-60.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P5C9-M55V-7XV8
Vulnerability from github – Published: 2022-05-11 00:00 – Updated: 2025-01-02 21:31Windows Clustered Shared Volume Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29120, CVE-2022-29123, CVE-2022-29134.
{
"affected": [],
"aliases": [
"CVE-2022-29122"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-10T21:15:00Z",
"severity": "MODERATE"
},
"details": "Windows Clustered Shared Volume Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29120, CVE-2022-29123, CVE-2022-29134.",
"id": "GHSA-p5c9-m55v-7xv8",
"modified": "2025-01-02T21:31:34Z",
"published": "2022-05-11T00:00:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29122"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29122"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29122"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P5FW-F837-J4P4
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:36A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause remote code execution when a valid user visits a malicious link provided through the web endpoints. Affected Products: EcoStruxure Control Expert (V15.1 and above)
{
"affected": [],
"aliases": [
"CVE-2023-27976"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-18T17:15:07Z",
"severity": "HIGH"
},
"details": "\nA CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause\nremote code execution when a valid user visits a malicious link provided through the web\nendpoints. Affected Products:\u00a0EcoStruxure Control Expert (V15.1 and above)",
"id": "GHSA-p5fw-f837-j4p4",
"modified": "2024-04-04T05:36:59Z",
"published": "2023-07-06T19:24:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27976"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-101-03.pdf"
},
{
"type": "WEB",
"url": "https://https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-101-03.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P5RM-FX86-WV2F
Vulnerability from github – Published: 2022-05-24 17:20 – Updated: 2022-05-24 17:20Improper Access Control in Plex Media Server prior to June 15, 2020 allows any origin to execute cross-origin application requests.
{
"affected": [],
"aliases": [
"CVE-2020-5742"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-15T20:15:00Z",
"severity": "MODERATE"
},
"details": "Improper Access Control in Plex Media Server prior to June 15, 2020 allows any origin to execute cross-origin application requests.",
"id": "GHSA-p5rm-fx86-wv2f",
"modified": "2022-05-24T17:20:35Z",
"published": "2022-05-24T17:20:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5742"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2020-35"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P5VM-WP92-93C6
Vulnerability from github – Published: 2022-02-10 00:00 – Updated: 2022-05-24 00:01Windows Remote Access Connection Manager Information Disclosure Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-21985"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-09T17:15:00Z",
"severity": "MODERATE"
},
"details": "Windows Remote Access Connection Manager Information Disclosure Vulnerability.",
"id": "GHSA-p5vm-wp92-93c6",
"modified": "2022-05-24T00:01:04Z",
"published": "2022-02-10T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21985"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21985"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21985"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P5VP-W7X7-6PW3
Vulnerability from github – Published: 2022-08-18 00:00 – Updated: 2022-08-19 00:00Ampere Altra before SRP 1.08b and Altra Max? before SRP 2.05 allow information disclosure of power telemetry via HWmon.
{
"affected": [],
"aliases": [
"CVE-2021-45454"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-17T13:15:00Z",
"severity": "HIGH"
},
"details": "Ampere Altra before SRP 1.08b and Altra Max? before SRP 2.05 allow information disclosure of power telemetry via HWmon.",
"id": "GHSA-p5vp-w7x7-6pw3",
"modified": "2022-08-19T00:00:20Z",
"published": "2022-08-18T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45454"
},
{
"type": "WEB",
"url": "https://amperecomputing.com/product-security"
},
{
"type": "WEB",
"url": "https://amperecomputing.com/products/security-bulletins/platypus.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P6GC-38CF-8626
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-10-19 12:00Adobe Photoshop Elements version 5.2 (and earlier) is affected by an insecure temporary file creation vulnerability. An unauthenticated attacker could leverage this vulnerability to call functions against the installer to perform high privileged actions. Exploitation of this issue does not require user interaction.
{
"affected": [],
"aliases": [
"CVE-2021-28597"
],
"database_specific": {
"cwe_ids": [
"CWE-379",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-28T15:15:00Z",
"severity": "MODERATE"
},
"details": "Adobe Photoshop Elements version 5.2 (and earlier) is affected by an insecure temporary file creation vulnerability. An unauthenticated attacker could leverage this vulnerability to call functions against the installer to perform high privileged actions. Exploitation of this issue does not require user interaction.",
"id": "GHSA-p6gc-38cf-8626",
"modified": "2022-10-19T12:00:23Z",
"published": "2022-05-24T19:06:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28597"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/photoshop_elements/apsb21-46.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P6XQ-9H8R-V544
Vulnerability from github – Published: 2023-02-10 15:30 – Updated: 2024-01-16 15:57A vulnerability was found in CodenameOne 7.0.70. The manipulation leads to use of implicit intent for sensitive communication. It is possible to launch the attack remotely. Upgrading to version 7.0.71 is able to address this issue. The name of the patch is dad49c9ef26a598619fc48d2697151a02987d478. It is recommended to upgrade the affected component.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.codenameone:codenameone-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.71"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-4903"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-927"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-16T15:57:57Z",
"nvd_published_at": "2023-02-10T15:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability was found in CodenameOne 7.0.70. The manipulation leads to use of implicit intent for sensitive communication. It is possible to launch the attack remotely. Upgrading to version 7.0.71 is able to address this issue. The name of the patch is dad49c9ef26a598619fc48d2697151a02987d478. It is recommended to upgrade the affected component. ",
"id": "GHSA-p6xq-9h8r-v544",
"modified": "2024-01-16T15:57:57Z",
"published": "2023-02-10T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4903"
},
{
"type": "WEB",
"url": "https://github.com/codenameone/CodenameOne/issues/3583"
},
{
"type": "WEB",
"url": "https://github.com/codenameone/CodenameOne/commit/dad49c9ef26a598619fc48d2697151a02987d478"
},
{
"type": "PACKAGE",
"url": "https://github.com/codenameone/CodenameOne"
},
{
"type": "WEB",
"url": "https://github.com/codenameone/CodenameOne/releases/tag/7.0.71"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.220470"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.220470"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "CodenameOne Pending Intent vulnerability"
}
GHSA-P79H-R9J3-QJG6
Vulnerability from github – Published: 2022-04-21 01:48 – Updated: 2024-02-28 00:52Mondo 2.24 has insecure handling of temporary files.
{
"affected": [],
"aliases": [
"CVE-2007-3915"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-07T22:15:00Z",
"severity": "CRITICAL"
},
"details": "Mondo 2.24 has insecure handling of temporary files.",
"id": "GHSA-p79h-r9j3-qjg6",
"modified": "2024-02-28T00:52:39Z",
"published": "2022-04-21T01:48:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-3915"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2007-3915"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.