Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-668 (将资源暴露给错误范围) — Vulnerability Class 129

129 vulnerabilities classified as CWE-668 (将资源暴露给错误范围). AI Chinese analysis included.

CWE-668 represents a critical access control weakness where software inadvertently exposes sensitive resources, such as files or directories, to unauthorized actors outside their intended security boundary. This vulnerability typically arises from misconfigured permissions, logic errors that target the wrong object, or flawed trust assumptions between different system spheres. Attackers exploit these flaws by leveraging improper access rights to read, modify, or delete protected data, often bypassing intended isolation mechanisms. To mitigate this risk, developers must enforce strict least-privilege principles, ensuring resources are accessible only to the specific processes or users requiring them. Implementing robust access control lists, validating object references before operations, and conducting thorough code reviews for permission settings are essential practices. By rigorously defining and enforcing security boundaries, organizations can prevent unintended data exposure and maintain the integrity of their system architecture against sphere-crossing attacks.

MITRE CWE Description
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. Resources such as files and directories may be inadvertently exposed through mechanisms such as insecure permissions, or when a program accidentally operates on the wrong object. For example, a program may intend that private files can only be provided to a specific user. This effectively defines a control sphere that is intended to prevent attackers from accessing these private files. If the file permissions are insecure, then parties other than the user will be able to access those files. A separate control sphere might effectively require that the user can only access the private files, but not any other files on the system. If the program does not ensure that the user is only requesting private files, then the user might be able to access other files on the system. In either case, the end result is that a resource has been exposed to the wrong party.
Common Consequences (3)
ConfidentialityRead Application Data
An adversary that gains access to a resource exposed to a wrong sphere could potentially retrieve private data from that resource, thus breaking the intended confidentiality of that data.
IntegrityModify Application Data
An adversary that gains access to a resource exposed to a wrong sphere could potentially modify data held within that resource, thus breaking the intended integrity of that data and causing the system relying on that resource to make unintended decisions.
OtherVaries by Context
The consequences may vary widely depending on how the product uses the affected resource.
CVE IDTitleCVSSSeverityPublished
CVE-2025-32428 Jupyter Remote Desktop Proxy makes TigerVNC accessible via the network and not just via a UNIX socket as intended — jupyter-remote-desktop-proxy 8.8AIHighAI2025-04-14
CVE-2025-21608 Forged packets over MQTT can show up in direct messages in Meshtastic firmware — firmware 5.3 -2025-02-18
CVE-2024-13484 Openshift-gitops-operator-container: namespace isolation break 8.2 High2025-01-28
CVE-2025-23205 `frame-ancestors: self` grants all users access to formgrader in nbgrader — nbgrader 6.5 -2025-01-17
CVE-2024-5660 ARM多款产品 安全漏洞 — Cortex-A77 8.4 -2024-12-10
CVE-2024-43704 GPU DDK - PowerVR: PVRSRVAcquireProcessHandleBase can cause psProcessHandleBase reuse when PIDs are reused — Graphics DDK 7.1AIHighAI2024-11-18
CVE-2024-51754 Unguarded calls to __toString() when nesting an object into an array in Twig — Twig 2.2 Low2024-11-06
CVE-2024-51755 Unguarded calls to __isset() and to array-accesses when the sandbox is enabled in Twig — Twig 2.2 Low2024-11-06
CVE-2024-22281 Apache Helix Front (UI): Helix front hard-coded secret in the express-session — Apache Helix Front (UI) 9.1AICriticalAI2024-08-20
CVE-2024-42350 Public key confusion in third party block in Biscuit — biscuit 3.0 Low2024-08-05
CVE-2024-35199 TorchServe gRPC Port Exposure — serve 8.2 High2024-07-18
CVE-2024-40725 Apache HTTP Server: source code disclosure with handlers configured via AddType — Apache HTTP Server 7.5 -2024-07-18
CVE-2024-39553 Junos OS Evolved: Receipt of arbitrary data when sampling service is enabled, leads to partial Denial of Service (DoS). — Junos OS Evolved 6.5 Medium2024-07-11
CVE-2024-38368 Trunk's 'Claim your pod' could be used to obtain un-used pods — CocoaPods 9.3 Critical2024-07-01
CVE-2024-5313 Schneider Electric EVlink Home Smart 安全漏洞 — EVlink Home Smart 6.5 Medium2024-06-12
CVE-2023-5751 CODESYS: Development system prone to DoS through exposure of resource to wrong sphere — CODESYS Control Win (SL) 7.8 High2024-06-04
CVE-2023-39478 Softing Secure Integration Server Exposure of Resource to Wrong Sphere Remote Code Execution Vulnerability — Secure Integration Server 8.8 -2024-05-03
CVE-2023-6096 using a inappropriate encryption logic — HRX-1620 7.4 High2024-04-26
CVE-2024-32473 Moby IPv6 enabled on IPv4-only network interfaces — moby 4.7 Medium2024-04-18
CVE-2024-21605 Junos OS: SRX 300 Series: Specific link local traffic causes a control plane overload — Junos OS 6.5 Medium2024-04-12
CVE-2024-29905 DIRAC: Unauthorized users can read proxy contents during generation — DIRAC 8.1 High2024-04-09
CVE-2024-3019 Pcp: exposure of the redis server backend allows remote command execution via pmproxy 8.8 High2024-03-28
CVE-2024-21597 Junos OS: MX Series: In an AF scenario traffic can bypass configured lo0 firewall filters — Junos OS 5.3 Medium2024-01-12
CVE-2023-48291 Apache Airflow: Improper access control to DAG resources — Apache Airflow 4.3AIMediumAI2023-12-21
CVE-2023-49347 Ubuntu Budgie Extras 安全漏洞 — Budgie Extras 6.0 Medium2023-12-14
CVE-2023-49345 Ubuntu Budgie Extras 安全漏洞 — Budgie Extras 6.0 Medium2023-12-14
CVE-2023-39171 SENEC Storage Box V1,V2 and V3 accidentially expose a management interface — Storage Box V1 7.2 High2023-12-07
CVE-2023-4910 3scale-admin-portal: logged out users tokens can be accessed — Red Hat 3scale API Management Platform 2 5.5 Medium2023-11-06
CVE-2023-2622 Hitachi Energy MACH System Software 安全漏洞 — MACH System Software 2.7 Low2023-11-01
CVE-2023-37911 org.xwiki.platform:xwiki-platform-oldcore may leak data through deleted and re-created documents — xwiki-platform 6.5 Medium2023-10-25

Vulnerabilities classified as CWE-668 (将资源暴露给错误范围) represent 129 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.