Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1248 vulnerabilities reference this CWE, most recent first.

GHSA-WV3W-FCVM-P52V

Vulnerability from github – Published: 2021-12-15 00:01 – Updated: 2021-12-18 00:01
VLAI
Details

A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal message broker system. This could allow an unauthenticated remote attacker to subscribe to arbitrary message queues.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-14T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions \u003c V1.6.284.0). Affected applications insufficiently limit the access to the internal message broker system. This could allow an unauthenticated remote attacker to subscribe to arbitrary message queues.",
  "id": "GHSA-wv3w-fcvm-p52v",
  "modified": "2021-12-18T00:01:57Z",
  "published": "2021-12-15T00:01:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44522"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-463116.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WV48-PVF9-QV86

Vulnerability from github – Published: 2023-01-03 00:30 – Updated: 2023-01-09 21:30
VLAI
Details

Inappropriate implementation in Paint in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to leak cross-origin data outside an iframe via a crafted HTML page. (Chrome security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4025"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-02T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Inappropriate implementation in Paint in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to leak cross-origin data outside an iframe via a crafted HTML page. (Chrome security severity: Low)",
  "id": "GHSA-wv48-pvf9-qv86",
  "modified": "2023-01-09T21:30:22Z",
  "published": "2023-01-03T00:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4025"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1260250"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WV7P-48P2-XRVW

Vulnerability from github – Published: 2022-04-28 00:00 – Updated: 2022-05-05 00:00
VLAI
Details

IBM QRadar SIEM 7.3, 7.4, and 7.5 allows for users to access information across tenant and domain boundaries in some situations. IBM X-Force ID: 208397.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38874"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-27T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM QRadar SIEM 7.3, 7.4, and 7.5 allows for users to access information across tenant and domain boundaries in some situations. IBM X-Force ID: 208397.",
  "id": "GHSA-wv7p-48p2-xrvw",
  "modified": "2022-05-05T00:00:32Z",
  "published": "2022-04-28T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38874"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/208397"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6574787"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVVH-P7C3-9MR7

Vulnerability from github – Published: 2023-11-13 18:30 – Updated: 2023-11-13 18:30
VLAI
Details

Use of implicit intent for sensitive communication vulnerability in startAgreeToDisclaimerActivity in Samsung Account prior to version 14.5.00.7 allows attackers to access arbitrary file with Samsung Account privilege.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42546"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T08:15:21Z",
    "severity": "MODERATE"
  },
  "details": "Use of implicit intent for sensitive communication vulnerability in startAgreeToDisclaimerActivity in Samsung Account prior to version 14.5.00.7 allows attackers to access arbitrary file with Samsung Account privilege.",
  "id": "GHSA-wvvh-p7c3-9mr7",
  "modified": "2023-11-13T18:30:59Z",
  "published": "2023-11-13T18:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42546"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVW9-5VQ9-WMCQ

Vulnerability from github – Published: 2022-10-07 18:15 – Updated: 2022-10-10 00:00
VLAI
Details

IBM QRadar SIEM 7.4 and 7.5 data node rebalancing does not function correctly when using encrypted hosts which could result in information disclosure. IBM X-Force ID: 225889.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-07T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM QRadar SIEM 7.4 and 7.5 data node rebalancing does not function correctly when using encrypted hosts which could result in information disclosure. IBM X-Force ID: 225889.",
  "id": "GHSA-wvw9-5vq9-wmcq",
  "modified": "2022-10-10T00:00:32Z",
  "published": "2022-10-07T18:15:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22480"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/225889"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6826695"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WWP8-3R8G-W274

Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-16 00:00
VLAI
Details

Exposure of Sensitive Information in CSC application prior to SMR Jul-2022 Release 1 allows local attacker to access wifi information via unprotected intent broadcasting.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33694"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-12T14:15:00Z",
    "severity": "LOW"
  },
  "details": "Exposure of Sensitive Information in CSC application prior to SMR Jul-2022 Release 1 allows local attacker to access wifi information via unprotected intent broadcasting.",
  "id": "GHSA-wwp8-3r8g-w274",
  "modified": "2022-07-16T00:00:22Z",
  "published": "2022-07-13T00:01:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33694"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WWR3-QQ72-5VCC

Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18
VLAI
Details

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-21T03:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.",
  "id": "GHSA-wwr3-qq72-5vcc",
  "modified": "2022-05-24T19:18:30Z",
  "published": "2022-05-24T19:18:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39127"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/JRASERVER-72003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WX8F-P63X-543F

Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2024-08-01 09:30
VLAI
Details

The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24975"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-11T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the \"GitBleed\" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option.",
  "id": "GHSA-wx8f-p63x-543f",
  "modified": "2024-08-01T09:30:48Z",
  "published": "2022-02-12T00:00:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24975"
    },
    {
      "type": "WEB",
      "url": "https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191"
    },
    {
      "type": "WEB",
      "url": "https://lore.kernel.org/git/xmqq4k14qe9g.fsf%40gitster.g"
    },
    {
      "type": "WEB",
      "url": "https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations"
    },
    {
      "type": "WEB",
      "url": "https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXCX-PQJC-2PP9

Vulnerability from github – Published: 2022-05-24 22:29 – Updated: 2022-07-13 00:01
VLAI
Details

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-21T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "All versions of Elastic Cloud Enterprise has the Elasticsearch \u201canonymous\u201d user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.",
  "id": "GHSA-wxcx-pqjc-2pp9",
  "modified": "2022-07-13T00:01:08Z",
  "published": "2022-05-24T22:29:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22146"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210819-0005"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/163655/Elasticsearch-ECE-7.13.3-Database-Disclosure.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXJ7-97FP-J53J

Vulnerability from github – Published: 2022-02-01 00:46 – Updated: 2022-02-07 21:20
VLAI
Summary
Exposure of Resource to Wrong Sphere in Zip-Local
Details

The package zip-local before 0.3.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) which can lead to an extraction of a crafted file outside the intended extraction directory.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "zip-local"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23484"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-29",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-31T19:55:36Z",
    "nvd_published_at": "2022-01-28T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The package zip-local before 0.3.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) which can lead to an extraction of a crafted file outside the intended extraction directory.",
  "id": "GHSA-wxj7-97fp-j53j",
  "modified": "2022-02-07T21:20:28Z",
  "published": "2022-02-01T00:46:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23484"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Mostafa-Samir/zip-local/commit/6bb9b59733df379ac168aa705790bd8339b4bf9b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Mostafa-Samir/zip-local/commit/949446a95a660c0752b1db0c654f0fd619ae6085"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Mostafa-Samir/zip-local"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Mostafa-Samir/zip-local/blob/master/main.js%23L365"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-ZIPLOCAL-2327477"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Exposure of Resource to Wrong Sphere in Zip-Local"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.