CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-WCM6-F8W6-W5FJ
Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.
{
"affected": [],
"aliases": [
"CVE-2019-8934"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-21T16:01:00Z",
"severity": "LOW"
},
"details": "hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.",
"id": "GHSA-wcm6-f8w6-w5fj",
"modified": "2022-05-13T01:02:55Z",
"published": "2022-05-13T01:02:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8934"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg04821.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190411-0006"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00094.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00040.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/02/21/1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107115"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WCWP-7PHH-VVR5
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-07-13 00:01The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.
{
"affected": [],
"aliases": [
"CVE-2021-22012"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-23T12:15:00Z",
"severity": "HIGH"
},
"details": "The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.",
"id": "GHSA-wcwp-7phh-vvr5",
"modified": "2022-07-13T00:01:08Z",
"published": "2022-05-24T19:15:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22012"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2021-0020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WF58-48GJ-3F44
Vulnerability from github – Published: 2021-12-15 00:01 – Updated: 2021-12-18 00:01A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal activity feed database. This could allow an unauthenticated remote attacker to read, modify or delete activity feed entries.
{
"affected": [],
"aliases": [
"CVE-2021-44523"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-14T12:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions \u003c V1.6.284.0). Affected applications insufficiently limit the access to the internal activity feed database. This could allow an unauthenticated remote attacker to read, modify or delete activity feed entries.",
"id": "GHSA-wf58-48gj-3f44",
"modified": "2021-12-18T00:01:57Z",
"published": "2021-12-15T00:01:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44523"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-463116.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WF7F-Q2XR-HRMH
Vulnerability from github – Published: 2026-04-09 18:31 – Updated: 2026-05-01 18:31Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.
{
"affected": [],
"aliases": [
"CVE-2026-39911"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-09T18:17:01Z",
"severity": "HIGH"
},
"details": "Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.",
"id": "GHSA-wf7f-q2xr-hrmh",
"modified": "2026-05-01T18:31:19Z",
"published": "2026-04-09T18:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39911"
},
{
"type": "WEB",
"url": "https://github.com/hashgraph/guardian/pull/5929"
},
{
"type": "WEB",
"url": "https://github.com/hashgraph/guardian/commit/45fbe2f7e0e8feee30105d42d66ed63fb6177ebe"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/hashgraph-guardian-unsandboxed-javascript-execution-rce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WFH8-85QF-JRR2
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-07-13 00:01This release addresses a potential information leakage vulnerability in NetIQ Access Manager versions prior to 5.0.1
{
"affected": [],
"aliases": [
"CVE-2021-22525"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-02T17:15:00Z",
"severity": "MODERATE"
},
"details": "This release addresses a potential information leakage vulnerability in NetIQ Access Manager versions prior to 5.0.1",
"id": "GHSA-wfh8-85qf-jrr2",
"modified": "2022-07-13T00:01:10Z",
"published": "2022-05-24T19:12:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22525"
},
{
"type": "WEB",
"url": "https://support.microfocus.com/kb/doc.php?id=7025254"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WGCC-3VW8-RP8C
Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-17 00:01There is an unauthorized access vulnerability in system components. Successful exploitation of this vulnerability will affect confidentiality.
{
"affected": [],
"aliases": [
"CVE-2021-40051"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-10T17:43:00Z",
"severity": "HIGH"
},
"details": "There is an unauthorized access vulnerability in system components. Successful exploitation of this vulnerability will affect confidentiality.",
"id": "GHSA-wgcc-3vw8-rp8c",
"modified": "2022-03-17T00:01:55Z",
"published": "2022-03-11T00:02:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40051"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2022/3"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/cn/docs/security/update/security-bulletins-phones-202203-0000001257385193"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WHPG-CVGX-J44F
Vulnerability from github – Published: 2022-08-12 00:01 – Updated: 2022-08-14 00:00In Settings, there is a possible way to determine whether an app is installed without query permissions, due to side channel information disclosure. This could lead to local information disclosure of an installed package, without proper query permissions, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-189122911
{
"affected": [],
"aliases": [
"CVE-2021-0734"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "In Settings, there is a possible way to determine whether an app is installed without query permissions, due to side channel information disclosure. This could lead to local information disclosure of an installed package, without proper query permissions, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-189122911",
"id": "GHSA-whpg-cvgx-j44f",
"modified": "2022-08-14T00:00:22Z",
"published": "2022-08-12T00:01:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0734"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WHX7-8J7G-CCFQ
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of WRQ requests. When parsing the Filename field, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code under the context of Administrator. Was ZDI-CAN-5137.
{
"affected": [],
"aliases": [
"CVE-2017-16597"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-23T01:29:00Z",
"severity": "CRITICAL"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of WRQ requests. When parsing the Filename field, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code under the context of Administrator. Was ZDI-CAN-5137.",
"id": "GHSA-whx7-8j7g-ccfq",
"modified": "2022-05-13T01:37:23Z",
"published": "2022-05-13T01:37:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16597"
},
{
"type": "WEB",
"url": "https://zerodayinitiative.com/advisories/ZDI-17-962"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WJ55-2MRJ-R24Q
Vulnerability from github – Published: 2022-08-13 00:00 – Updated: 2022-08-17 00:00In Content, there is a possible way to learn gmail account name on the device due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-209005023
{
"affected": [],
"aliases": [
"CVE-2022-20270"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-12T15:15:00Z",
"severity": "MODERATE"
},
"details": "In Content, there is a possible way to learn gmail account name on the device due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-209005023",
"id": "GHSA-wj55-2mrj-r24q",
"modified": "2022-08-17T00:00:32Z",
"published": "2022-08-13T00:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20270"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WJ6W-52QH-V4Q5
Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2022-02-24 00:01The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, aka a "pointer leak."
{
"affected": [],
"aliases": [
"CVE-2021-45402"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, aka a \"pointer leak.\"",
"id": "GHSA-wj6w-52qh-v4q5",
"modified": "2022-02-24T00:01:20Z",
"published": "2022-02-12T00:00:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45402"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=3cf2b61eb06765e27fec6799292d9fb46d0b7e60"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=b1a7288dedc6caf9023f2676b4f5ed34cf0d4029"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=e572ff80f05c33cd0cb4860f864f5c9c044280b6"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.