CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-W332-Q679-J88P
Vulnerability from github – Published: 2026-01-27 19:09 – Updated: 2026-02-04 19:53Summary
Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys.
Details
The vulnerability exists in the serve-static middleware used with the Cloudflare Workers adapter. When serving static assets, the middleware does not sufficiently validate or restrict user-supplied paths before resolving them against the Workers asset storage.
As a result, an attacker may craft requests that access arbitrary keys beyond the intended static asset scope. This issue only affects applications running on Cloudflare Workers that use Serve static Middleware with user-controllable request paths.
Impact
This vulnerability may lead to information disclosure by allowing unauthorized access to internal assets or data stored in the Workers environment. The exposed data is limited to readable asset keys and does not allow modification of stored data or execution of arbitrary code.
The impact is limited to applications that use Serve static Middleware in the Cloudflare Workers adapter and rely on it to safely handle untrusted request paths.
Affected Components
- Serve static Middleware (Cloudflare Workers adapter)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "hono"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.11.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-24473"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-284",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-27T19:09:01Z",
"nvd_published_at": "2026-01-27T20:16:23Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nServe static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys.\n\n## Details\n\nThe vulnerability exists in the serve-static middleware used with the Cloudflare Workers adapter. When serving static assets, the middleware does not sufficiently validate or restrict user-supplied paths before resolving them against the Workers asset storage.\n\nAs a result, an attacker may craft requests that access arbitrary keys beyond the intended static asset scope. This issue only affects applications running on Cloudflare Workers that use Serve static Middleware with user-controllable request paths.\n\n## Impact\n\nThis vulnerability may lead to information disclosure by allowing unauthorized access to internal assets or data stored in the Workers environment. The exposed data is limited to readable asset keys and does not allow modification of stored data or execution of arbitrary code.\n\nThe impact is limited to applications that use Serve static Middleware in the Cloudflare Workers adapter and rely on it to safely handle untrusted request paths.\n\n## Affected Components\n\n* Serve static Middleware (Cloudflare Workers adapter)",
"id": "GHSA-w332-q679-j88p",
"modified": "2026-02-04T19:53:47Z",
"published": "2026-01-27T19:09:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24473"
},
{
"type": "WEB",
"url": "https://github.com/honojs/hono/commit/cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817"
},
{
"type": "PACKAGE",
"url": "https://github.com/honojs/hono"
},
{
"type": "WEB",
"url": "https://github.com/honojs/hono/releases/tag/v4.11.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)"
}
GHSA-W358-VXFM-484C
Vulnerability from github – Published: 2022-06-03 00:00 – Updated: 2022-06-14 00:00Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contains an open port vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure and arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2022-26869"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-02T21:15:00Z",
"severity": "CRITICAL"
},
"details": "Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contains an open port vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure and arbitrary code execution.",
"id": "GHSA-w358-vxfm-484c",
"modified": "2022-06-14T00:00:29Z",
"published": "2022-06-03T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26869"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000196367"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W365-QPC6-8W95
Vulnerability from github – Published: 2023-07-11 00:33 – Updated: 2024-04-04 05:54A security defect was discovered in Foundry job-tracker that enabled users to query metadata related to builds on resources they did not have access to. This defect was resolved with the release of job-tracker 4.645.0. The service was rolled out to all affected Foundry instances. No further intervention is required.
{
"affected": [],
"aliases": [
"CVE-2023-30960"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-10T22:15:09Z",
"severity": "MODERATE"
},
"details": "A security defect was discovered in Foundry job-tracker that enabled users to query metadata related to builds on resources they did not have access to. This defect was resolved with the release of job-tracker 4.645.0. The service was rolled out to all affected Foundry instances. No further intervention is required.\n\n\n\n",
"id": "GHSA-w365-qpc6-8w95",
"modified": "2024-04-04T05:54:17Z",
"published": "2023-07-11T00:33:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30960"
},
{
"type": "WEB",
"url": "https://palantir.safebase.us/?tcuUid=115d9bf4-201f-4cfe-b2fc-219e3a2d945b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W3M3-F5C2-C97P
Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03Microsoft Internet Explorer 6 through 9 does not properly implement JavaScript event handlers, which allows remote attackers to access content from a different (1) domain or (2) zone via unspecified script code, aka "Event Handlers Information Disclosure Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2011-1960"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-08-10T21:55:00Z",
"severity": "MODERATE"
},
"details": "Microsoft Internet Explorer 6 through 9 does not properly implement JavaScript event handlers, which allows remote attackers to access content from a different (1) domain or (2) zone via unspecified script code, aka \"Event Handlers Information Disclosure Vulnerability.\"",
"id": "GHSA-w3m3-f5c2-c97p",
"modified": "2022-05-13T01:03:28Z",
"published": "2022-05-13T01:03:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1960"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-057"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12383"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA11-221A.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W3Q2-JMRG-5RFM
Vulnerability from github – Published: 2023-03-22 12:30 – Updated: 2023-03-24 06:30Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner.
{
"affected": [],
"aliases": [
"CVE-2023-1562"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-22T11:15:00Z",
"severity": "MODERATE"
},
"details": "Mattermost fails to check the \"Show Full Name\" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner.",
"id": "GHSA-w3q2-jmrg-5rfm",
"modified": "2023-03-24T06:30:17Z",
"published": "2023-03-22T12:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1562"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W3QF-PH3J-W487
Vulnerability from github – Published: 2022-10-10 19:00 – Updated: 2022-10-12 19:00An exposure of resource to wrong sphere vulnerability [CWE-668] in FortiAnalyzer and FortiManager GUI 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11, 5.6.0 through 5.6.11 may allow an unauthenticated and remote attacker to access report template images via referencing the name in the URL path.
{
"affected": [],
"aliases": [
"CVE-2022-26121"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-10T14:15:00Z",
"severity": "MODERATE"
},
"details": "An exposure of resource to wrong sphere vulnerability [CWE-668] in FortiAnalyzer and FortiManager GUI 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11, 5.6.0 through 5.6.11 may allow an unauthenticated and remote attacker to access report template images via referencing the name in the URL path.",
"id": "GHSA-w3qf-ph3j-w487",
"modified": "2022-10-12T19:00:35Z",
"published": "2022-10-10T19:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26121"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-22-026"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W3VP-R637-3FHJ
Vulnerability from github – Published: 2024-06-12 15:31 – Updated: 2024-06-12 15:31CWE-668: Exposure of the Resource Wrong Sphere vulnerability exists that exposes a SSH interface over the product network interface. This does not allow to directly exploit the product or make any unintended operation as the SSH interface access is protected by an authentication mechanism. Impacts are limited to port scanning and fingerprinting activities as well as attempts to perform a potential denial of service attack on the exposed SSH interface.
{
"affected": [],
"aliases": [
"CVE-2024-5313"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-12T13:15:50Z",
"severity": "MODERATE"
},
"details": "CWE-668: Exposure of the Resource Wrong Sphere vulnerability exists that exposes a SSH\ninterface over the product network interface. This does not allow to directly exploit the product or\nmake any unintended operation as the SSH interface access is protected by an authentication\nmechanism. Impacts are limited to port scanning and fingerprinting activities as well as attempts\nto perform a potential denial of service attack on the exposed SSH interface.",
"id": "GHSA-w3vp-r637-3fhj",
"modified": "2024-06-12T15:31:44Z",
"published": "2024-06-12T15:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5313"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-163-03.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-W4MM-GFHC-2P52
Vulnerability from github – Published: 2022-12-26 06:30 – Updated: 2023-01-04 03:30An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis.
{
"affected": [],
"aliases": [
"CVE-2021-44854"
],
"database_specific": {
"cwe_ids": [
"CWE-524",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-26T05:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis.",
"id": "GHSA-w4mm-gfhc-2p52",
"modified": "2023-01-04T03:30:32Z",
"published": "2022-12-26T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44854"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T292763"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-24"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W4WC-QJG3-5PQG
Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-01 00:01IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a low level user to obtain sensitive information from the details of the 'Cloud Storage' page for which they should not have access. IBM X-Force ID: 202682.
{
"affected": [],
"aliases": [
"CVE-2021-29768"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-24T16:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a low level user to obtain sensitive information from the details of the \u0027Cloud Storage\u0027 page for which they should not have access. IBM X-Force ID: 202682.",
"id": "GHSA-w4wc-qjg3-5pqg",
"modified": "2022-07-01T00:01:14Z",
"published": "2022-06-25T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29768"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/202682"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220729-0002"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6597241"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W5G2-9X75-Q8J4
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05Information Disclosure in NoneCMS v1.3 allows remote attackers to obtain sensitive information via the component "/nonecms/vendor".
{
"affected": [],
"aliases": [
"CVE-2020-18647"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-22T15:15:00Z",
"severity": "HIGH"
},
"details": "Information Disclosure in NoneCMS v1.3 allows remote attackers to obtain sensitive information via the component \"/nonecms/vendor\".",
"id": "GHSA-w5g2-9x75-q8j4",
"modified": "2022-05-24T19:05:52Z",
"published": "2022-05-24T19:05:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18647"
},
{
"type": "WEB",
"url": "https://github.com/PearlyNautilus/Security-Code-Review/issues/5"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.