CWE-668— Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.— MITRE CWE catalog
1,109 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-668page 12 of 23
- CVE-2022-1875MEDIUMCVSS 4.3EG 4.32022-07-27
Inappropriate implementation in PDF in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- CVE-2022-1902HIGHCVSS 8.8EG 8.82022-09-01
A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secre…
- CVE-2022-1911MEDIUMCVSS 5.3EG 5.32022-11-30
Error in parser function in M-Files Server versions before 22.6.11534.1 and before 22.6.11505.0 allowed unauthenticated access to some information of the underlying operating system.
- CVE-2022-1983MEDIUMCVSS 6.5EG 4.32022-07-01
Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker already in possession of a valid Deploy Key or a Deploy Token to misuse it from any…
- CVE-2022-20270MEDIUMCVSS 5.5EG 5.52022-08-12
In Content, there is a possible way to learn gmail account name on the device due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for e…
- CVE-2022-20525LOWCVSS 3.3EG 3.32022-12-16
In enforceVisualVoicemailPackage of PhoneInterfaceManager.java, there is a possible leak of visual voicemail package name due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges…
- CVE-2022-20529LOWCVSS 2.4EG 2.42022-12-16
In multiple locations of WifiDialogActivity.java, there is a possible limited lockscreen bypass due to a logic error in the code. This could lead to local escalation of privilege in wifi settings with no additional execution privileges nee…
- CVE-2022-20562LOWCVSS 3.3EG 3.32022-12-16
In various functions of ap_input_processor.c, there is a possible way to record audio during a phone call due to a logic error in the code. This could lead to local information disclosure with User execution privileges needed. User interac…
- CVE-2022-20696HIGHCVSS 7.5EG 8.82022-09-08
A vulnerability in the binding configuration of Cisco SD-WAN vManage Software containers could allow an unauthenticated, adjacent attacker who has access to the VPN0 logical network to also access the messaging service ports on an affected…
- CVE-2022-20917MEDIUMCVSS 4.3EG 4.32023-09-15
A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) message processing feature of Cisco Jabber could allow an authenticated, remote attacker to manipulate the content of XMPP messages that are used by the affected appl…
- CVE-2022-21126HIGHCVSS 7.3EG 7.32022-11-29
The package com.github.samtools:htsjdk before 3.0.1 are vulnerable to Creation of Temporary File in Directory with Insecure Permissions due to the createTempDir() function in util/IOUtil.java not checking for the existence of the temporary…
- CVE-2022-2160MEDIUMCVSS 6.5EG 6.52022-07-28
Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 103.0.5060.53 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from a user's local files …
- CVE-2022-21718LOWCVSS 3.4EG 3.42022-03-22
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to …
- CVE-2022-21817CRITICALCVSS 9.3EG 9.32022-02-02
NVIDIA Omniverse Launcher contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can get user to browse malicious site, to acquire access tokens allowing them to access resour…
- CVE-2022-21845MEDIUMCVSS 4.7EG 4.72022-07-12
Windows Kernel Information Disclosure Vulnerability
- CVE-2022-21880HIGHCVSS 7.5EG 7.52022-01-11
Windows GDI+ Information Disclosure Vulnerability
- CVE-2022-21904HIGHCVSS 7.5EG 7.52022-01-11
Windows GDI Information Disclosure Vulnerability
- CVE-2022-21915MEDIUMCVSS 6.5EG 6.52022-01-11
Windows GDI+ Information Disclosure Vulnerability
- CVE-2022-21947HIGHCVSS 8.3EG 8.32022-04-01
A Exposure of Resource to Wrong Sphere vulnerability in Rancher Desktop of SUSE allows attackers in the local network to connect to the Dashboard API (steve) to carry out arbitrary actions. This issue affects: SUSE Rancher Desktop versions…
- CVE-2022-21964MEDIUMCVSS 5.5EG 5.52022-01-11
Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability
- CVE-2022-21985MEDIUMCVSS 5.5EG 5.52022-02-09
Windows Remote Access Connection Manager Information Disclosure Vulnerability
- CVE-2022-21993HIGHCVSS 7.5EG 7.52022-02-09
Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability
- CVE-2022-21998MEDIUMCVSS 5.5EG 5.52022-02-09
Windows Common Log File System Driver Information Disclosure Vulnerability
- CVE-2022-22011MEDIUMCVSS 5.5EG 5.52022-05-10
Windows Graphics Component Information Disclosure Vulnerability
- CVE-2022-22015MEDIUMCVSS 6.5EG 6.52022-05-10
Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
- CVE-2022-22028MEDIUMCVSS 5.9EG 5.92022-07-12
Windows Network File System Information Disclosure Vulnerability
- CVE-2022-22042MEDIUMCVSS 6.5EG 6.52022-07-12
Windows Hyper-V Information Disclosure Vulnerability
- CVE-2022-22154MEDIUMCVSS 6.8EG 6.82022-01-19
In a Junos Fusion scenario an External Control of Critical State Data vulnerability in the Satellite Device (SD) control state machine of Juniper Networks Junos OS allows an attacker who is able to make physical changes to the cabling of t…
- CVE-2022-22314LOWCVSS 3.3EG 3.32022-09-08
IBM Planning Analytics Local 2.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 217371.
- CVE-2022-22331HIGHCVSS 7.1EG 7.12022-04-01
IBM SterlingPartner Engagement Manager 6.2.0 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR). IBM X-Force ID: 219130.
- CVE-2022-22334MEDIUMCVSS 4.3EG 4.32022-08-01
IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user to access information from a tenant of which they should not have access. IBM X-Force ID: 219391.
- CVE-2022-22414MEDIUMCVSS 5.5EG 5.52022-06-20
IBM Robotic Process Automation 21.0.2 could allow a local user to obtain sensitive web service configuration credentials from system memory. IBM X-Force ID: 223026.
- CVE-2022-22442MEDIUMCVSS 6.5EG 6.52022-11-03
"IBM InfoSphere Information Server 11.7 could allow an authenticated user to access information restricted to users with elevated privileges due to improper access controls. IBM X-Force ID: 224427."
- CVE-2022-22480HIGHCVSS 7.5EG 7.52022-10-07
IBM QRadar SIEM 7.4 and 7.5 data node rebalancing does not function correctly when using encrypted hosts which could result in information disclosure. IBM X-Force ID: 225889.
- CVE-2022-22483MEDIUMCVSS 6.5EG 6.52022-09-13
IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 is vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used. IBM…
- CVE-2022-22494MEDIUMCVSS 5.3EG 5.32022-06-30
IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.14 could allow a remote attacker to gain details of the database, such as type and version, by sending a specially-crafted HTTP request. This information could then be used in fu…
- CVE-2022-22515HIGHCVSS 8.1EG 8.12022-04-07
A remote, authenticated attacker could utilize the control program of the CODESYS Control runtime system to use the vulnerability in order to read and modify the configuration file(s) of the affected products.
- CVE-2022-22579HIGHCVSS 7.8EG 7.82022-03-18
An information disclosure issue was addressed with improved state management. This issue is fixed in iOS 15.3 and iPadOS 15.3, tvOS 15.3, Security Update 2022-001 Catalina, macOS Monterey 12.2, macOS Big Sur 11.6.3. Processing a maliciousl…
- CVE-2022-22583MEDIUMCVSS 5.5EG 5.52022-03-18
A permissions issue was addressed with improved validation. This issue is fixed in Security Update 2022-001 Catalina, macOS Monterey 12.2, macOS Big Sur 11.6.3. An application may be able to access restricted files.
- CVE-2022-22598LOWCVSS 3.3EG 3.32022-03-18
An issue with app access to camera metadata was addressed with improved logic. This issue is fixed in iOS 15.4 and iPadOS 15.4. An app may be able to learn information about the current camera view before being granted camera access.
- CVE-2022-22622MEDIUMCVSS 4.6EG 4.62022-03-18
This issue was addressed with improved checks. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions.
- CVE-2022-22652MEDIUMCVSS 6.1EG 6.12022-03-18
The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical …
- CVE-2022-22662MEDIUMCVSS 6.5EG 6.52022-05-26
A cookie management issue was addressed with improved state management. This issue is fixed in Security Update 2022-003 Catalina, macOS Big Sur 11.6.5. Processing maliciously crafted web content may disclose sensitive user information.
- CVE-2022-22711MEDIUMCVSS 5.7EG 6.72022-07-12
Windows BitLocker Information Disclosure Vulnerability
- CVE-2022-22716MEDIUMCVSS 5.5EG 5.52022-02-09
Microsoft Excel Information Disclosure Vulnerability
- CVE-2022-22732LOWCVSS 3.9EG 7.52023-01-30
A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause all remote domains to access the resources (data) supplied by the server when an attacker sends a fetch request from third-party site or malicious site. …
- CVE-2022-22783MEDIUMCVSS 6.5EG 7.52022-04-28
A vulnerability in Zoom On-Premise Meeting Connector Controller version 4.8.102.20220310 and On-Premise Meeting Connector MMR version 4.8.102.20220310 exposes process memory fragments to connected clients, which could be observed by a pass…
- CVE-2022-22961MEDIUMCVSS 5.3EG 5.32022-04-13
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an information disclosure vulnerability due to returning excess information. A malicious actor with remote access may leak the hostname of the target system. Suc…
- CVE-2022-23118HIGHCVSS 8.8EG 7.52022-01-12
Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agents to invoke command-line `git` at an attacker-specified path on the controller, allowing attackers able to control agent processes to invoke…
- CVE-2022-23163MEDIUMCVSS 4.7EG 5.52022-04-12
Dell PowerScale OneFS, 8.2,x, 9.1.0.x, 9.2.1.x, and 9.3.0.x contain a denial of service vulnerability. A local malicious user could potentially exploit this vulnerability, leading to denial of service/data unavailability.
Map vulnerabilities like CWE-668 to your infrastructure
EchelonGraph correlates every CVE — across CWE-668 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →