CWE-402
Transmission of Private Resources into a New Sphere ('Resource Leak')
ClassDraft
Description
The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.
Hierarchy (View 1000)
CVEs mapped to this weakness (5)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-48383 | Hig | 0.46 | 8.2 | 0.00 | May 27, 2025 | Django-Select2 is a Django integration for Select2. Prior to version 8.4.1, instances of HeavySelect2Mixin subclasses like the ModelSelect2MultipleWidget and ModelSelect2Widget can leak secret access tokens across requests. This can allow users to access restricted query sets and restricted data. This issue has been patched in version 8.4.1. | |
| CVE-2017-8442 | Med | 0.42 | 6.5 | 0.00 | Jul 7, 2017 | Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details. | |
| CVE-2025-49618 | Med | 0.38 | 5.8 | 0.00 | Jul 3, 2025 | In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint. | |
| CVE-2025-52925 | Med | 0.33 | 5.0 | 0.00 | Jul 2, 2025 | In One Identity OneLogin Active Directory Connector before 6.1.5, encryption of the DirectoryToken was mishandled, aka ST-812. | |
| CVE-2025-55014 | Med | 0.31 | 4.7 | 0.00 | Aug 4, 2025 | The YouDao plugin for StarDict, as used in stardict 3.0.7+git20220909+dfsg-6 in Debian trixie and elsewhere, sends an X11 selection to the dict.youdao.com and dict.cn servers via cleartext HTTP. |