Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-668 (将资源暴露给错误范围) — Vulnerability Class 129

129 vulnerabilities classified as CWE-668 (将资源暴露给错误范围). AI Chinese analysis included.

CWE-668 represents a critical access control weakness where software inadvertently exposes sensitive resources, such as files or directories, to unauthorized actors outside their intended security boundary. This vulnerability typically arises from misconfigured permissions, logic errors that target the wrong object, or flawed trust assumptions between different system spheres. Attackers exploit these flaws by leveraging improper access rights to read, modify, or delete protected data, often bypassing intended isolation mechanisms. To mitigate this risk, developers must enforce strict least-privilege principles, ensuring resources are accessible only to the specific processes or users requiring them. Implementing robust access control lists, validating object references before operations, and conducting thorough code reviews for permission settings are essential practices. By rigorously defining and enforcing security boundaries, organizations can prevent unintended data exposure and maintain the integrity of their system architecture against sphere-crossing attacks.

MITRE CWE Description
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. Resources such as files and directories may be inadvertently exposed through mechanisms such as insecure permissions, or when a program accidentally operates on the wrong object. For example, a program may intend that private files can only be provided to a specific user. This effectively defines a control sphere that is intended to prevent attackers from accessing these private files. If the file permissions are insecure, then parties other than the user will be able to access those files. A separate control sphere might effectively require that the user can only access the private files, but not any other files on the system. If the program does not ensure that the user is only requesting private files, then the user might be able to access other files on the system. In either case, the end result is that a resource has been exposed to the wrong party.
Common Consequences (3)
ConfidentialityRead Application Data
An adversary that gains access to a resource exposed to a wrong sphere could potentially retrieve private data from that resource, thus breaking the intended confidentiality of that data.
IntegrityModify Application Data
An adversary that gains access to a resource exposed to a wrong sphere could potentially modify data held within that resource, thus breaking the intended integrity of that data and causing the system relying on that resource to make unintended decisions.
OtherVaries by Context
The consequences may vary widely depending on how the product uses the affected resource.
CVE IDTitleCVSSSeverityPublished
CVE-2023-45145 Redis Unix-domain socket may have be exposed with the wrong permissions for a short time window. — redis 3.6 Low2023-10-18
CVE-2023-42792 Apache Airflow: Improper access control to DAG resources — Apache Airflow 4.3 -2023-10-14
CVE-2022-20917 Cisco Jabber 安全漏洞 — Cisco Jabber 4.3 Medium2023-09-15
CVE-2023-3670 Codesys: Vulnerability in CODESYS Development System and CODESYS Scripting — CODESYS Development System 7.3 High2023-07-28
CVE-2023-34189 Apache InLong: General user can delete and update process — Apache InLong 9.1 -2023-07-25
CVE-2023-35696 SICK ICR890-4 安全漏洞 — ICR890-4 7.5 High2023-07-10
CVE-2023-34114 Zoom Client 安全漏洞 — Zoom for Windows Client 7.4 High2023-06-13
CVE-2023-31103 Apache InLong: Attackers can change the immutable name and type of cluster — Apache InLong 8.2 -2023-05-22
CVE-2023-31206 Apache InLong: Attackers can change the immutable name and type of nodes — Apache InLong 8.2 -2023-05-22
CVE-2023-27976 Schneider Electric EcoStruxure Control Expert 安全漏洞 — EcoStruxure Control Expert 8.8 High2023-04-18
CVE-2023-29208 Data leak through deleted documents — xwiki-platform 7.5 High2023-04-15
CVE-2023-26458 Information Disclosure vulnerability in SAP Landscape Management — Landscape Management 6.8 Medium2023-04-11
CVE-2023-29192 SilverwareGames.io users with access to the game upload panel are able to edit download links for games uploaded by other developers — silverwaregames-io-issue-tracker 2.7 Low2023-04-10
CVE-2023-28433 Minio Privilege Escalation on Windows via Path separator manipulation — minio 8.8 High2023-03-22
CVE-2023-24523 SAP Host Agent 安全漏洞 — Host Agent Service 8.8 High2023-02-14
CVE-2022-46756 Dell VxRail 安全漏洞 — VxRail HCI 8.2 High2023-02-01
CVE-2022-22732 Schneider Electric EcoStruxure Power Commission 安全漏洞 — EcoStruxure Power Commission 3.9 Low2023-01-30
CVE-2022-45438 Apache Superset: Dashboard metadata information leak — Apache Superset 5.3 -2023-01-16
CVE-2022-45935 Apache James server: Temporary File Information Disclosure — Apache James server 5.5 -2023-01-06
CVE-2022-31596 SAP BusinessObjects Business Intelligence Platform 安全漏洞 — SAP Business Objects Platform (Monitoring DB) 6.7 -2022-12-12
CVE-2022-3866 Nomad Workload Identity Token Can List Non-sensitive Metadata for Paths Under nomad/ — Nomad 5.0 Medium2022-11-10
CVE-2022-41874 Tauri Filesystem Scope can be Partially Bypassed — tauri 2.6 Low2022-11-10
CVE-2022-39015 SAP BusinessObjects Business Intelligence Platform 安全漏洞 — SAP BusinessObjects Business Intelligence Platform (AdminTools/Query Builder) 6.5 -2022-10-11
CVE-2022-35936 Ethermint DoS through Unintended Contract Selfdestruct — ethermint 8.2 High2022-08-05
CVE-2022-32249 SAP S/4HANA 和 SAP Business One 安全漏洞 — SAP Business one 7.5 -2022-07-12
CVE-2022-32530 Schneider Electric Geo SCADA Mobile 安全漏洞 — Geo SCADA Mobile 4.8 Medium2022-06-24
CVE-2022-29247 Exposure of Resource to Wrong Sphere in Electron — electron 2.2 Low2022-06-13
CVE-2022-1467 AVEVA InTouch Access Anywhere Exposure of Resource to Wrong Sphere — AVEVA InTouch Access Anywhere 7.4 High2022-05-23
CVE-2022-24823 Local Information Disclosure Vulnerability in io.netty:netty-codec-http — netty 5.5 Medium2022-05-06
CVE-2022-22515 A component of the CODESYS Control runtime system allows read and write access to configuration files — CODESYS Control RTE (SL) 8.1 High2022-04-07

Vulnerabilities classified as CWE-668 (将资源暴露给错误范围) represent 129 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.