CVEbaza.plCWE DictionaryCWE-402
Common Weakness Enumeration

CWE-402

Transmission of Private Resources into a New Sphere ('Resource Leak')

Category: ClassCVE: 23
Description

The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.

CVE vulnerabilities with CWE-402 (23)
8.7
CVSS
HIGH
CVE-2025-29925

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.

pub. 2025-03-19
8.6
CVSS
HIGH
CVE-2021-31407

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.

pub. 2021-04-23
8.6
CVSS
HIGH
CVE-2021-31410

Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request.

pub. 2021-04-23
8.2
CVSS
HIGH
CVE-2025-48383

Django-Select2 is a Django integration for Select2. Prior to version 8.4.1, instances of HeavySelect2Mixin subclasses like the ModelSelect2MultipleWidget and ModelSelect2Widget can leak secret access tokens across requests. This can allow users to access restricted query sets and restricted data. This issue has been patched in version 8.4.1.

pub. 2025-05-27
8.1
CVSS
HIGH
CVE-2021-23264

Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.

pub. 2021-12-02
7.5
CVSS
HIGH
CVE-2024-29900

Electron Packager bundles Electron-based application source code with a renamed Electron executable and supporting files into folders ready for distribution. A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory _could_ contain sensitive information such as environment variables, secrets files, etc. This issue is patched in 18.3.1.

pub. 2024-03-29
7.5
CVSS
HIGH
CVE-2022-3596

An information leak was found in OpenStack's undercloud. This flaw allows unauthenticated, remote attackers to inspect sensitive data after discovering the IP address of the undercloud, possibly leading to compromising private information, including administrator access credentials.

pub. 2023-09-20
7.5
CVSS
HIGH
CVE-2023-34467

XWiki Platform is a generic wiki platform. Starting in version 3.5-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, the mail obfuscation configuration was not fully taken into account. While the mail displayed to the end user was obfuscated, the rest response was also containing the mail unobfuscated and users were able to filter and sort on the unobfuscated, allowing them to infer the mail content. The consequence was the possibility to retrieve the email addresses of all users even when obfuscated. This has been patched in XWiki 14.4.8, 14.10.4, and 15.0-rc-1.

pub. 2023-06-23
7.1
CVSS
HIGH
CVE-2025-67745

MyHoard is a daemon for creating, managing and restoring MySQL backups. Starting in version 1.0.1 and prior to version 1.3.0, in some cases, myhoard logs the whole backup info, including the encryption key. Version 1.3.0 fixes the issue. As a workaround, direct logs into /dev/null.

pub. 2025-12-18
7.1
CVSS
HIGH
CVE-2024-47146

Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to obtain the devices serial number if physically adjacent and sniffing the RAW WIFI signal.

pub. 2024-12-06
6.9
CVSS
MEDIUM
CVE-2025-0502

Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6.

pub. 2025-01-15
6.9
CVSS
MEDIUM
CVE-2022-30231

A vulnerability has been identified in SICAM GridEdge (Classic) (All versions < V2.6.6). The affected application discloses password hashes of other users upon request. This could allow an authenticated user to retrieve another user's password hash.

pub. 2022-06-14
6.5
CVSS
MEDIUM
CVE-2017-8442

Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details.

pub. 2017-07-07
5.9
CVSS
MEDIUM
CVE-2021-23263

Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary).

pub. 2021-12-02
5.8
CVSS
MEDIUM
CVE-2025-49618

In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.

pub. 2025-07-03
5.5
CVSS
MEDIUM
CVE-2024-0443

A flaw was found in the blkgs destruction path in block/blk-cgroup.c in the Linux kernel, leading to a cgroup blkio memory leakage problem. When a cgroup is being destroyed, cgroup_rstat_flush() is only called at css_release_work_fn(), which is called when the blkcg reference count reaches 0. This circular dependency will prevent blkcg and some blkgs from being freed after they are made offline. This issue may allow an attacker with a local access to cause system instability, such as an out of memory error.

pub. 2024-01-12
5.5
CVSS
MEDIUM
CVE-2023-4569

A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause double-deactivations of catchall elements, which can result in a memory leak.

pub. 2023-08-28
5.3
CVSS
MEDIUM
CVE-2024-32388

Due to a firewall misconfiguration, Kerlink devices running KerOS prior to 5.12 incorrectly accept specially crafted UDP packets. This allows an attacker to bypass the firewall and access UDP-based services that would otherwise be protected.

pub. 2025-12-01
5.0
CVSS
MEDIUM
CVE-2025-52925

In One Identity OneLogin Active Directory Connector before 6.1.5, encryption of the DirectoryToken was mishandled, aka ST-812.

pub. 2025-07-02
4.7
CVSS
MEDIUM
CVE-2025-55014

The YouDao plugin for StarDict, as used in stardict 3.0.7+git20220909+dfsg-6 in Debian trixie and elsewhere, sends an X11 selection to the dict.youdao.com and dict.cn servers via cleartext HTTP.

pub. 2025-08-04
Showing 20 of 23 vulnerabilities
Information
ID: CWE-402
Type: Class
Vulnerabilities: 23
MITRE CWE ↗
← CWE Dictionary