Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-668 (将资源暴露给错误范围) — Vulnerability Class 129

129 vulnerabilities classified as CWE-668 (将资源暴露给错误范围). AI Chinese analysis included.

CWE-668 represents a critical access control weakness where software inadvertently exposes sensitive resources, such as files or directories, to unauthorized actors outside their intended security boundary. This vulnerability typically arises from misconfigured permissions, logic errors that target the wrong object, or flawed trust assumptions between different system spheres. Attackers exploit these flaws by leveraging improper access rights to read, modify, or delete protected data, often bypassing intended isolation mechanisms. To mitigate this risk, developers must enforce strict least-privilege principles, ensuring resources are accessible only to the specific processes or users requiring them. Implementing robust access control lists, validating object references before operations, and conducting thorough code reviews for permission settings are essential practices. By rigorously defining and enforcing security boundaries, organizations can prevent unintended data exposure and maintain the integrity of their system architecture against sphere-crossing attacks.

MITRE CWE Description
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. Resources such as files and directories may be inadvertently exposed through mechanisms such as insecure permissions, or when a program accidentally operates on the wrong object. For example, a program may intend that private files can only be provided to a specific user. This effectively defines a control sphere that is intended to prevent attackers from accessing these private files. If the file permissions are insecure, then parties other than the user will be able to access those files. A separate control sphere might effectively require that the user can only access the private files, but not any other files on the system. If the program does not ensure that the user is only requesting private files, then the user might be able to access other files on the system. In either case, the end result is that a resource has been exposed to the wrong party.
Common Consequences (3)
ConfidentialityRead Application Data
An adversary that gains access to a resource exposed to a wrong sphere could potentially retrieve private data from that resource, thus breaking the intended confidentiality of that data.
IntegrityModify Application Data
An adversary that gains access to a resource exposed to a wrong sphere could potentially modify data held within that resource, thus breaking the intended integrity of that data and causing the system relying on that resource to make unintended decisions.
OtherVaries by Context
The consequences may vary widely depending on how the product uses the affected resource.
CVE IDTitleCVSSSeverityPublished
CVE-2022-21947 rancher desktop: Dashboard API is network accessible — Rancher 8.3 High2022-04-01
CVE-2022-21718 Renderers can obtain access to random bluetooth device without permission in Electron — electron 3.4 Low2022-03-22
CVE-2022-24074 Naver Whale Browser 安全漏洞 — NAVER Whale browser 9.8 -2022-03-17
CVE-2022-0815 McAfee WebAdvisor - Extension Fingerprinting vulnerability — McAfee WebAdvisor 6.5 Medium2022-03-10
CVE-2022-26355 Citrix Federated Authentication Service (FAS) — Federated Authentication Service (FAS) 4.4 -2022-03-09
CVE-2021-21878 Lantronix PremierWave 2050 输入验证错误漏洞 — Lantronix 4.9 -2021-12-22
CVE-2021-44524 Siemens SiPass Integrated和Siveillance Identity 授权问题漏洞 — SiPass integrated V2.76 9.1 -2021-12-14
CVE-2021-44523 Siemens SiPass Integrated和Siveillance Identity 安全漏洞 — SiPass integrated V2.76 9.1 -2021-12-14
CVE-2021-44522 Siemens SiPass Integrated和Siveillance Identity 安全漏洞 — SiPass integrated V2.76 7.5 -2021-12-14
CVE-2021-41140 Reactions leak for secure category topics and private messages — discourse-reactions 5.3 Medium2021-10-19
CVE-2021-39184 Sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API — electron 6.8 Medium2021-10-12
CVE-2021-40496 Sap Internet Communication Framework 访问控制错误漏洞 — SAP NetWeaver AS ABAP and ABAP Platform 5.3 -2021-10-12
CVE-2021-41094 Mandatory encryption at rest can be bypassed (UI) in Wire app — wire-ios 4.2 Medium2021-10-04
CVE-2021-22869 Improper access control in GitHub Enterprise Server allows self-hosted runners to execute outside their control group — GitHub Enterprise Server 9.8 -2021-09-24
CVE-2021-41088 Remote code execution via the web UI backend of Elvish — elvish 8.0 High2021-09-23
CVE-2021-34723 Cisco IOS XE SD-WAN Software Arbitrary File Overwrite Vulnerability — Cisco IOS XE Software 6.7 Medium2021-09-23
CVE-2021-39212 Issue when Configuring the ImageMagick Security Policy — ImageMagick 4.4 Medium2021-09-13
CVE-2021-32788 Post creator of a whisper post can be revealed to non-staff users in Discourse — discourse 4.3 Medium2021-07-27
CVE-2021-32760 Archive package allows chmod of file outside of unpack target directory — containerd 5.0 Medium2021-07-19
CVE-2021-21382 Unsafe loopback forwarding interface in Restund — restund 8.6 High2021-06-11
CVE-2021-20999 WEIDMUELLER: Accidentally open network port in u-controls and IoT-Gateways — UC20-WL2000-AC (No. 1334950000) 9.4 Critical2021-05-13
CVE-2021-1438 Cisco Wide Area Application Services Software Information Disclosure Vulnerability — Cisco Wide Area Application Services (WAAS) 5.5 Medium2021-05-06
CVE-2021-1423 Cisco Aironet Access Points Arbitrary File Overwrite Vulnerability — Cisco Aironet Access Point Software 4.4 Medium2021-03-24
CVE-2021-21334 environment variable leak — containerd 6.3 Medium2021-03-10
CVE-2020-26272 Electron vulnerable to ID collision when routing IPC messages to renderers containing OOPIFs — electron 5.4 Medium2021-01-28
CVE-2020-26261 user-readable api tokens in systemd units — systemdspawner 7.9 High2020-12-09
CVE-2020-26086 Cisco TelePresence Collaboration Endpoint Software Information Disclosure Vulnerability — Cisco TelePresence Endpoint Software (TC/CE) 4.3 Medium2020-11-06
CVE-2020-26084 Cisco Edge Fog Fabric Resource Exposure Vulnerability — Cisco Edge Fog Fabric 6.5 Medium2020-11-06
CVE-2020-15264 Privilege Escalation in Boxstarter — boxstarter 8.0 High2020-10-20
CVE-2020-16212 Philips Patient Monitoring Devices Exposure of Resource to Wrong Sphere — Patient Information Center iX (PICiX) 8.8 -2020-09-11

Vulnerabilities classified as CWE-668 (将资源暴露给错误范围) represent 129 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.