CWE · MITRE source
CWE-668Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Resources such as files and directories may be inadvertently exposed through mechanisms such as insecure permissions, or when a program accidentally operates on the wrong object. For example, a program may intend that private files can only be provided to a specific user. This effectively defines a control sphere that is intended to prevent attackers from accessing these private files. If the file permissions are insecure, then parties other than the user will be able to access those files. A separate control sphere might effectively require that the user can only access the private files, but not any other files on the system. If the program does not ensure that the user is only requesting private files, then the user might be able to access other files on the system. In either case, the end result is that a resource has been exposed to the wrong party.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (27)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-14 | Public Access Protections | SC | Enforces separation so resources are not placed in a public sphere without explicit protection. |
SC-2 | Separation of System and User Functionality | SC | Prevents exposure of system management resources and functions into the user functionality sphere. |
SC-22 | Architecture and Provisioning for Name/Address Resolution Service | SC | Fault-tolerant architecture with role separation keeps internal resolution resources from being exposed to external spheres. |
AC-20 | Use of External Systems | AC | Controls whether organization resources are exposed to external system spheres by permitting or prohibiting their use. |
AC-21 | Information Sharing | AC | The control ensures information is not released into a security sphere where the recipient lacks matching access authorizations. |
AC-22 | Publicly Accessible Content | AC | The control ensures information resources are not exposed to the incorrect (public) sphere through review and authorization. |
MP-2 | Media Access | MP | The control prevents exposure of the media resource to the wrong security sphere. |
MP-3 | Media Marking | MP | Marking prevents media containing sensitive data from being moved or accessed within an inappropriate security sphere by making sensitivity visible to handlers. |
MP-5 | Media Transport | MP | Protecting media during transport prevents exposure of resources to the wrong control sphere. |
PE-17 | Alternate Work Site | PE | Requiring controls and assessments at alternate work sites prevents exposure of resources to the wrong sphere by ensuring they remain protected outside the primary facility. |
PE-23 | Facility Location | PE | Planning facility placement prevents exposure of critical resources to environmental or physical threat spheres. |
PE-4 | Access Control for Transmission | PE | Prevents transmission resources from being exposed to an unauthorized physical sphere by limiting who can approach distribution lines. |
PM-17 | Protecting Controlled Unclassified Information on External Systems | PM | Drives controls that keep sensitive CUI from being exposed to external systems as an unintended sphere. |
PM-5 | System Inventory | PM | Asset tracking reveals resources that have inadvertently entered an unintended security sphere, permitting corrective isolation. |
CA-9 | Internal System Connections | CA | Controlling internal connections prevents exposure of resources to unintended internal spheres. |
Show 12 more broadly-applicable controls
SC-32 | System Partitioning | SC | Prevents resources from residing in the wrong sphere by design through explicit domain separation. |
SC-36 | Distributed Processing and Storage | SC | Placing components in separate spheres limits the blast radius of any exposure, reducing the chance that a resource is reachable from an unintended domain. |
SC-39 | Process Isolation | SC | Process isolation ensures resources remain inside their intended spheres, preventing exposure of a resource to an unintended process. |
SC-42 | Sensor Capability and Data | SC | By restricting sensor activation and surfacing its use, the control prevents sensor data from being transferred into an unintended sphere (e.g., attacker-controlled processes or remote exfiltration). |
SC-46 | Cross Domain Policy Enforcement | SC | The control ensures resources are not exposed outside their intended security domain by filtering transfers at the domain boundary. |
SC-7 | Boundary Protection | SC | Internal resources are kept in separate network spheres from externally accessible components. |
AC-23 | Data Mining Protection | AC | Protects against data mining that would expose resources to unauthorized spheres by enforcing detection and controls. |
AC-4 | Information Flow Enforcement | AC | Restricts information flows to ensure resources are not exposed to incorrect or unauthorized spheres. |
CM-12 | Information Location | CM | Knowing exact processing and storage locations helps avoid exposure of resources to incorrect spheres. |
RA-6 | Technical Surveillance Countermeasures Survey | RA | By locating and eliminating surveillance devices, TSCM prevents resources from being exposed to an adversary-controlled sphere. |
SI-23 | Information Fragmentation | SI | Distributing fragments into separate spheres means a resource leak or exposure on one system does not place the full sensitive information into the wrong sphere. |
SR-12 | Component Disposal | SR | Ensures components are not exposed to an external or disposal sphere while still containing sensitive data or resources. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2022-39952 | 7.6 | 9.8 | 0.9378 | 2023-02-16 |
CVE-2018-6910 | 6.9 | 7.5 | 0.9054 | 2018-02-13 |
CVE-2020-27361 | 6.9 | 7.5 | 0.8935 | 2021-07-01 |
CVE-2021-45420 | 6.9 | 9.8 | 0.8225 | 2022-02-14 |
CVE-2024-25153 | 6.9 | 9.8 | 0.8222 | 2024-03-13 |
CVE-2023-37599 | 6.6 | 7.5 | 0.8561 | 2023-07-13 |
CVE-2022-24900 | 6.4 | 9.9 | 0.7329 | 2022-04-29 |
CVE-2023-33510 | 5.8 | 7.5 | 0.7148 | 2023-06-07 |
CVE-2019-12928 | 5.2 | 9.8 | 0.5409 | 2019-06-24 |
CVE-2022-34047 | 5.1 | 7.5 | 0.5918 | 2022-07-20 |
CVE-2022-31845 | 4.7 | 7.5 | 0.5312 | 2022-06-14 |
CVE-2018-7846 | 4.6 | 9.8 | 0.4332 | 2019-05-22 |
CVE-2017-16598 | 4.3 | 8.8 | 0.4298 | 2018-01-23 |
CVE-2017-16606 | 4.3 | 8.8 | 0.4298 | 2018-01-23 |
CVE-2021-37704 | 4.3 | 5.4 | 0.5314 | 2021-08-12 |
CVE-2017-16597 | 4.1 | 9.8 | 0.3611 | 2018-01-23 |
CVE-2021-46354 | 3.9 | 7.5 | 0.3920 | 2022-02-09 |
CVE-2023-37645 | 3.9 | 5.3 | 0.4784 | 2023-07-20 |
CVE-2017-0215 | 3.8 | 5.3 | 0.4500 | 2017-06-15 |
CVE-2017-16610 | 3.8 | 9.8 | 0.3125 | 2018-01-23 |
CVE-2023-2916 | 3.3 | 7.5 | 0.2950 | 2023-08-15 |
CVE-2017-5648 | 3.1 | 9.1 | 0.2176 | 2017-04-17 |
CVE-2022-31846 | 3.1 | 7.5 | 0.2638 | 2022-06-14 |
CVE-2024-40725 | 2.6 | 5.3 | 0.2510 | 2024-07-18 |
CVE-2021-43216 | 2.4 | 6.5 | 0.1823 | 2021-12-15 |