Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1251 vulnerabilities reference this CWE, most recent first.

GHSA-PF76-3JJ8-RPQG

Vulnerability from github – Published: 2023-11-01 03:31 – Updated: 2023-11-01 03:31
VLAI
Details

Authenticated clients can read arbitrary files on the MAIN Computer system using the remote procedure call (RPC) of the InspectSetup service endpoint. The low privilege client is then allowed to read arbitrary files that they do not have authorization to read.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2622"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-01T03:15:07Z",
    "severity": "LOW"
  },
  "details": "\nAuthenticated clients can read arbitrary files on the MAIN Computer\nsystem using the remote procedure call (RPC) of the InspectSetup\nservice endpoint. The low privilege client is then allowed to read arbitrary files that they do not have authorization to read.\n\n",
  "id": "GHSA-pf76-3jj8-rpqg",
  "modified": "2023-11-01T03:31:00Z",
  "published": "2023-11-01T03:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2622"
    },
    {
      "type": "WEB",
      "url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177\u0026languageCode=en\u0026Preview=true"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PF7H-H2WQ-M7PG

Vulnerability from github – Published: 2021-11-21 00:00 – Updated: 2024-10-22 14:57
VLAI
Summary
Exposure of Resource to Wrong Sphere in salt
Details

An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "salt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3003.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21996"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-05T22:05:39Z",
    "nvd_published_at": "2021-09-08T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.",
  "id": "GHSA-pf7h-h2wq-m7pg",
  "modified": "2024-10-22T14:57:24Z",
  "published": "2021-11-21T00:00:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21996"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2021-318.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/saltstack/salt"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00019.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BUWUF5VTENNP2ZYZBVFKPSUHLKLUBD5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ACVT7M4YLZRLWWQ6SGRK3C6TOF4FXOXT"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MBAHHSGZLEJRCG4DX6J4RBWJAAWH55RQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BUWUF5VTENNP2ZYZBVFKPSUHLKLUBD5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ACVT7M4YLZRLWWQ6SGRK3C6TOF4FXOXT"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MBAHHSGZLEJRCG4DX6J4RBWJAAWH55RQ"
    },
    {
      "type": "WEB",
      "url": "https://saltproject.io/security_announcements/salt-security-advisory-2021-sep-02"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202310-22"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-5011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Exposure of Resource to Wrong Sphere in salt"
}

GHSA-PF94-6V2V-CM3J

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-06-22 18:37
VLAI
Summary
Exposure of Resource to Wrong Sphere in Spring Cloud OpenFeign
Details

In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEASE, and older unsupported versions, applications using type-level @RequestMappingannotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to @RequestMapping-annotated interface methods.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.4"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-openfeign-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.9"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-openfeign-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-22044"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-22T18:37:06Z",
    "nvd_published_at": "2021-10-28T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEASE, and older unsupported versions, applications using type-level `@RequestMapping`annotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to `@RequestMapping`-annotated interface methods.",
  "id": "GHSA-pf94-6v2v-cm3j",
  "modified": "2022-06-22T18:37:06Z",
  "published": "2022-05-24T19:19:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22044"
    },
    {
      "type": "WEB",
      "url": "https://tanzu.vmware.com/security/cve-2021-22044"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Exposure of Resource to Wrong Sphere in Spring Cloud OpenFeign"
}

GHSA-PFGW-PM22-HFP2

Vulnerability from github – Published: 2022-04-30 18:16 – Updated: 2025-04-03 03:43
VLAI
Details

Acme mini_httpd before 1.16 allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2001-0893"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2001-11-13T05:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Acme mini_httpd before 1.16 allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.",
  "id": "GHSA-pfgw-pm22-hfp2",
  "modified": "2025-04-03T03:43:51Z",
  "published": "2022-04-30T18:16:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2001-0893"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=100568999726036\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://www.acme.com/software/mini_httpd"
    },
    {
      "type": "WEB",
      "url": "http://www.iss.net/security_center/static/7541.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PGMV-HX9G-JJHF

Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-04-03 23:59
VLAI
Details

OpenShift: Install script has temporary file creation vulnerability which can result in arbitrary code execution

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-0023"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-15T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "OpenShift: Install script has temporary file creation vulnerability which can result in arbitrary code execution",
  "id": "GHSA-pgmv-hx9g-jjhf",
  "modified": "2024-04-03T23:59:07Z",
  "published": "2022-05-17T19:57:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0023"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2014-0023"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PHG8-X4RR-QPGF

Vulnerability from github – Published: 2022-01-19 00:00 – Updated: 2023-08-08 15:31
VLAI
Details

An issue was discovered in Delta RM 1.2. Using the /risque/risque/ajax-details endpoint, with a POST request indicating the risk to access with the id parameter, it is possible for users to access risks of other companies.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44838"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-18T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Delta RM 1.2. Using the /risque/risque/ajax-details endpoint, with a POST request indicating the risk to access with the id parameter, it is possible for users to access risks of other companies.",
  "id": "GHSA-phg8-x4rr-qpgf",
  "modified": "2023-08-08T15:31:37Z",
  "published": "2022-01-19T00:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44838"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/rntcruz23/6575c0ef45c30687c538361910bb8ab3"
    },
    {
      "type": "WEB",
      "url": "https://www.deltarm.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PHP6-9CG9-XVC8

Vulnerability from github – Published: 2022-09-01 00:00 – Updated: 2022-09-07 00:01
VLAI
Details

Potential vulnerabilities have been identified in Micro Focus ArcSight Logger. The vulnerabilities could be remotely exploited resulting in Information Disclosure, or Self Cross-Site Scripting (XSS). This issue affects: Micro Focus ArcSight Logger versions prior to v7.2.2 version and prior versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26330"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-31T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Potential vulnerabilities have been identified in Micro Focus ArcSight Logger. The vulnerabilities could be remotely exploited resulting in Information Disclosure, or Self Cross-Site Scripting (XSS). This issue affects: Micro Focus ArcSight Logger versions prior to v7.2.2 version and prior versions.",
  "id": "GHSA-php6-9cg9-xvc8",
  "modified": "2022-09-07T00:01:54Z",
  "published": "2022-09-01T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26330"
    },
    {
      "type": "WEB",
      "url": "https://portal.microfocus.com/s/article/KM000010167?language=en_US"
    },
    {
      "type": "WEB",
      "url": "https://www.microfocus.com/support/downloads"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PJG2-878F-MVHC

Vulnerability from github – Published: 2022-08-06 00:00 – Updated: 2022-08-11 00:00
VLAI
Details

PendingIntent hijacking vulnerability in releaseAlarm in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36829"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668",
      "CWE-927"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-05T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "PendingIntent hijacking vulnerability in releaseAlarm in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent.",
  "id": "GHSA-pjg2-878f-mvhc",
  "modified": "2022-08-11T00:00:34Z",
  "published": "2022-08-06T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36829"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=08"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year==2022\u0026month=08"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PJH7-QQHQ-G74C

Vulnerability from github – Published: 2023-06-23 18:30 – Updated: 2024-04-04 05:07
VLAI
Details

The issue was addressed with improved checks. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, watchOS 9.5, tvOS 16.5. A person with physical access to a device may be able to view contact information from the lock screen

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32394"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-23T18:15:12Z",
    "severity": "LOW"
  },
  "details": "The issue was addressed with improved checks. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, watchOS 9.5, tvOS 16.5. A person with physical access to a device may be able to view contact information from the lock screen",
  "id": "GHSA-pjh7-qqhq-g74c",
  "modified": "2024-04-04T05:07:55Z",
  "published": "2023-06-23T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32394"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213757"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213758"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213761"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213764"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PMPF-MG57-995X

Vulnerability from github – Published: 2023-03-14 18:30 – Updated: 2023-03-14 18:30
VLAI
Details

Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-24863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-14T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability",
  "id": "GHSA-pmpf-mg57-995x",
  "modified": "2023-03-14T18:30:20Z",
  "published": "2023-03-14T18:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24863"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24863"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.