CWE-653 65 個 CVE MITRE 定義 ↗

CWE-653:Improper Isolation or Compartmentalization

概覽

CWE-653(Improper Isolation or Compartmentalization)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-12297 2026-06-16 Sandbox escape due to incorrect boundary conditions in the Networking component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 1…
CVE-2026-12295 2026-06-16 Sandbox escape in the DOM: Navigation component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
CVE-2026-41155 2026-06-12 An attacker could cooperatively pass data from one secure GPU process to another secure GPU process through shared secure memory allocations in the kernel module. Additionally, an attacker could disru…
CVE-2026-42782 2026-05-25 Improper Isolation or Compartmentalization vulnerability in Apache Syncope. An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted co…
CVE-2026-8945 2026-05-19 Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151.
CVE-2026-44009 2026-05-13 vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.
CVE-2026-44005 2026-05-13 vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying h…
CVE-2026-43997 2026-05-13 vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be usin…
CVE-2026-8401 2026-05-12 Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.
CVE-2026-26956 2026-05-04 vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and r…
CVE-2026-26332 2026-05-04 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.
CVE-2026-24781 2026-05-04 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can esc…
CVE-2026-41174 2026-04-30 Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation…
CVE-2026-40968 2026-04-28 When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the s…
CVE-2026-5600 2026-04-08 A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows…
CVE-2026-5599 2026-04-05 A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds.
CVE-2026-34775 2026-04-03 Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0, the nodeIntegrationInWorker webPreference …
CVE-2026-4325 2026-04-02 A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use ent…
CVE-2026-4282 2026-04-02 A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authoriza…
CVE-2025-12805 2026-03-26 A flaw was found in Red Hat OpenShift AI (RHOAI) llama-stack-operator. This vulnerability allows unauthorized access to Llama Stack services deployed in other namespaces via direct network requests, b…

曾用名

  • Design Principle Violation: Insufficient Compartmentalization (2009-01-12)
  • Insufficient Compartmentalization (2021-10-28)

內容提交

名稱
Pascal Meunier
組織
Purdue University
日期
2008-01-18
版本
Draft 8

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Alternate_Terms, Common_Consequences, Description, Relationships, Other_Notes, Weakness_Ordinalities
2009-01-12 CWE Content Team 1.2 updated Name
2010-12-13 CWE Content Team 1.11 updated Other_Notes, Relationship_Notes, Terminology_Notes
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2012-05-11 CWE Content Team 2.2 updated Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-07-30 CWE Content Team 2.8 updated Detection_Factors
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships
2020-02-24 CWE Content Team 4.0 updated Demonstrative_Examples, Relationships
2020-12-10 CWE Content Team 4.3 updated Relationships
2021-10-28 CWE Content Team 4.6 updated Description, Name, Observed_Examples, References, Relationships
2022-10-13 CWE Content Team 4.9 updated References
2023-04-27 CWE Content Team 4.11 updated References, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2023-10-26 CWE Content Team 4.13 updated Demonstrative_Examples, Observed_Examples
2024-02-29 CWE Content Team 4.14 updated Type
2025-09-09 CWE Content Team 4.18 updated References
2025-12-11 CWE Content Team 4.19 updated Relationships
cvelogic Threat Intelligence