Common Weakness Enumeration

CWE-203

Allowed

Observable Discrepancy

Abstraction: Base · Status: Incomplete

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

836 vulnerabilities reference this CWE, most recent first.

GHSA-27M2-4FPR-973Q

Vulnerability from github – Published: 2023-04-24 09:30 – Updated: 2024-04-04 03:39
VLAI
Details

A username enumeration issue was discovered in Medicine Tracker System 1.0. The login functionality allows a malicious user to guess a valid username due to a different response time from invalid usernames. When one enters a valid username, the response time increases depending on the length of the supplied password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-30458"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-24T08:15:07Z",
    "severity": "MODERATE"
  },
  "details": "A username enumeration issue was discovered in Medicine Tracker System 1.0. The login functionality allows a malicious user to guess a valid username due to a different response time from invalid usernames. When one enters a valid username, the response time increases depending on the length of the supplied password.",
  "id": "GHSA-27m2-4fpr-973q",
  "modified": "2024-04-04T03:39:01Z",
  "published": "2023-04-24T09:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30458"
    },
    {
      "type": "WEB",
      "url": "https://github.com/d34dun1c02n/CVE-2023-30458"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com/download-code?nid=16308\u0026title=Medicine+Tracker+System+in+PHP+%28OOP%29+and+MySQL+DB+Source+Code+Free+Download"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com/php/16308/medicine-tracker-system-php-oop-and-mysql-db-source-code-free-download.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-294X-X7JX-8864

Vulnerability from github – Published: 2025-04-08 06:30 – Updated: 2025-04-08 06:30
VLAI
Details

During an annual penetration test conducted on behalf of Axis Communications, Truesec discovered a flaw in the VAPIX Device Configuration framework that allowed for unauthenticated username enumeration through the VAPIX Device Configuration SSH Management API.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0361"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T06:15:44Z",
    "severity": "MODERATE"
  },
  "details": "During an annual penetration test conducted on behalf of Axis Communications, Truesec discovered a flaw in the VAPIX Device Configuration framework that allowed for unauthenticated username enumeration through the VAPIX Device Configuration SSH Management API.",
  "id": "GHSA-294x-x7jx-8864",
  "modified": "2025-04-08T06:30:40Z",
  "published": "2025-04-08T06:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0361"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/f4/9b/13/cve-2025-0361pdf-en-US-474511.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2C7G-2HGF-HXF7

Vulnerability from github – Published: 2021-12-16 00:00 – Updated: 2021-12-21 00:01
VLAI
Details

In onResume of NotificationAccessDetails.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-195412179

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In onResume of NotificationAccessDetails.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-195412179",
  "id": "GHSA-2c7g-2hgf-hxf7",
  "modified": "2021-12-21T00:01:14Z",
  "published": "2021-12-16T00:00:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1012"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2CWW-M3RC-2VGR

Vulnerability from github – Published: 2022-12-16 00:30 – Updated: 2025-11-03 21:30
VLAI
Details

An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) can recover an RSA private key after observing the victim performing a single private-key operation, if the window size (MBEDTLS_MPI_WINDOW_SIZE) used for the exponentiation is 3 or smaller.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46392"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-15T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) can recover an RSA private key after observing the victim performing a single private-key operation, if the window size (MBEDTLS_MPI_WINDOW_SIZE) used for the exponentiation is 3 or smaller.",
  "id": "GHSA-2cww-m3rc-2vgr",
  "modified": "2025-11-03T21:30:46Z",
  "published": "2022-12-16T00:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46392"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.3.0"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BR7ZCVKLPGCOEEALUHZMFHXQHR6S4QL"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XMKJ5IMJEPXYAHHU56Z4P2FSYIEAESB"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BR7ZCVKLPGCOEEALUHZMFHXQHR6S4QL"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XMKJ5IMJEPXYAHHU56Z4P2FSYIEAESB"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2CXW-7C85-PJ9P

Vulnerability from github – Published: 2022-09-09 00:01 – Updated: 2022-09-14 00:00
VLAI
Details

The PlexTrac platform prior to version 1.28.0 allows for username enumeration via HTTP response times on invalid login attempts for users configured to use the PlexTrac authentication provider. Login attempts for valid, unlocked users configured to use PlexTrac as their authentication provider take significantly longer than those for invalid users, allowing for valid users to be enumerated by an unauthenticated remote attacker. Note that the lockout policy implemented in Plextrac version 1.17.0 makes it impossible to distinguish between valid, locked user accounts and user accounts that do not exist, but does not prevent valid, unlocked users from being enumerated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-37146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-08T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The PlexTrac platform prior to version 1.28.0 allows for username enumeration via HTTP response times on invalid login attempts for users configured to use the PlexTrac authentication provider. Login attempts for valid, unlocked users configured to use PlexTrac as their authentication provider take significantly longer than those for invalid users, allowing for valid users to be enumerated by an unauthenticated remote attacker. Note that the lockout policy implemented in Plextrac version 1.17.0 makes it impossible to distinguish between valid, locked user accounts and user accounts that do not exist, but does not prevent valid, unlocked users from being enumerated.",
  "id": "GHSA-2cxw-7c85-pj9p",
  "modified": "2022-09-14T00:00:52Z",
  "published": "2022-09-09T00:01:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37146"
    },
    {
      "type": "WEB",
      "url": "https://www.controlgap.com/blog/a-plextrac-story"
    },
    {
      "type": "WEB",
      "url": "http://plextrac.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GQC-6J2Q-83QP

Vulnerability from github – Published: 2026-01-15 18:17 – Updated: 2026-01-23 21:46
VLAI
Summary
RustCrypto Utilities cmov: `thumbv6m-none-eabi` compiler emits non-constant time assembly when using `cmovnz`
Details

Summary

thumbv6m-none-eabi (Cortex M0, M0+ and M1) compiler emits non-constant time assembly when using cmovnz (portable version). I did not found any other target with the same behaviour but I did not go through all targets supported by Rust.

Details

It seems that, during mask computation, an LLVM optimisation pass is detecting that bitnz is returning 0 or 1, that can be interpreted as a boolean. This intermediate value is not masked by a call to black_box and thus the subsequent .wrapping_sub(1) can be interpreted as a conditional bitwise conditional not.

PoC

This is an attempt at having a minimal faulty code. In a library crate with an up-to-date cmov as only dependency, the content of src/lib.rs is:

#![no_std]
use cmov::Cmov;

#[inline(never)]
pub fn test_ct_cmov(a: &mut u8, b: u8, c: u8) {
    a.cmovnz(&b, c);
}

The resulting assembly emitted (shown using cargo asm --release --target thumbv6m-none-eabi that uses cargo-show-asm):

Collapsed assembly
.section .text.not_ct::test_ct_cmov,"ax",%progbits
    .globl  not_ct::test_ct_cmov
    .p2align    1
    .type   not_ct::test_ct_cmov,%function
    .code   16
    .thumb_func
not_ct::test_ct_cmov:
    .fnstart
    .cfi_sections .debug_frame
    .cfi_startproc
    .save   {r7, lr}
    push {r7, lr}
    .cfi_def_cfa_offset 8
    .cfi_offset lr, -4
    .cfi_offset r7, -8
    .setfp  r7, sp
    add r7, sp, #0
    .cfi_def_cfa_register r7
    .pad    #8
    sub sp, #8
    movs r3, #0
    lsls r2, r2, #24
    bne .LBB0_2
    mvns r3, r3
.LBB0_2:
    ldrb r2, [r0]
    str r3, [sp, #4]
    str r3, [sp]
    mov r3, sp
    @APP
    @NO_APP
    ldr r3, [sp]
    bics r1, r3
    ands r2, r3
    adds r1, r2, r1
    strb r1, [r0]
    add sp, #8
    pop {r7, pc}

The non-constant time assembly is:

    bne  .LBB0_2
    mvns r3, r3
.LBB0_2:

Impact

The exact impact is unclear, especially since cmov clearly warns users that the portable version is best-effort.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "cmov"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23519"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-15T18:17:15Z",
    "nvd_published_at": "2026-01-15T20:16:05Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`thumbv6m-none-eabi` (Cortex M0, M0+ and M1) compiler emits non-constant time assembly when using `cmovnz` (portable version). I did not found any other target with the same behaviour but I did not go through all targets supported by Rust. \n\n### Details\n\nIt seems that, [during `mask` computation](https://github.com/RustCrypto/utils/blob/9e555db060c80f4669d804f448a524a37d201b32/cmov/src/portable.rs#L78), an LLVM optimisation pass is detecting that [`bitnz`](https://github.com/RustCrypto/utils/blob/9e555db060c80f4669d804f448a524a37d201b32/cmov/src/portable.rs#L13) is returning 0 or 1, that can be interpreted as a boolean. This intermediate value is not masked by a call to `black_box` and thus the subsequent [`.wrapping_sub(1)`](https://github.com/RustCrypto/utils/blob/9e555db060c80f4669d804f448a524a37d201b32/cmov/src/portable.rs#L78C1-L78C84) can be interpreted as a conditional bitwise conditional not.\n\n### PoC\n\nThis is an attempt at having a minimal faulty code. In a library crate with an up-to-date `cmov` as only dependency, the content of `src/lib.rs` is:\n\n```rust\n#![no_std]\nuse cmov::Cmov;\n\n#[inline(never)]\npub fn test_ct_cmov(a: \u0026mut u8, b: u8, c: u8) {\n    a.cmovnz(\u0026b, c);\n}\n```\n\n\nThe resulting assembly emitted (shown using `cargo asm --release --target thumbv6m-none-eabi` that uses [`cargo-show-asm`](https://crates.io/crates/cargo-show-asm)):\n\n\u003cdetails\u003e\n\u003csummary\u003eCollapsed assembly\u003c/summary\u003e\n\n```asm\n.section .text.not_ct::test_ct_cmov,\"ax\",%progbits\n\t.globl\tnot_ct::test_ct_cmov\n\t.p2align\t1\n\t.type\tnot_ct::test_ct_cmov,%function\n\t.code\t16\n\t.thumb_func\nnot_ct::test_ct_cmov:\n\t.fnstart\n\t.cfi_sections .debug_frame\n\t.cfi_startproc\n\t.save\t{r7, lr}\n\tpush {r7, lr}\n\t.cfi_def_cfa_offset 8\n\t.cfi_offset lr, -4\n\t.cfi_offset r7, -8\n\t.setfp\tr7, sp\n\tadd r7, sp, #0\n\t.cfi_def_cfa_register r7\n\t.pad\t#8\n\tsub sp, #8\n\tmovs r3, #0\n\tlsls r2, r2, #24\n\tbne .LBB0_2\n\tmvns r3, r3\n.LBB0_2:\n\tldrb r2, [r0]\n\tstr r3, [sp, #4]\n\tstr r3, [sp]\n\tmov r3, sp\n\t@APP\n\t@NO_APP\n\tldr r3, [sp]\n\tbics r1, r3\n\tands r2, r3\n\tadds r1, r2, r1\n\tstrb r1, [r0]\n\tadd sp, #8\n\tpop {r7, pc}\n```\n\n\u003c/details\u003e\n\nThe non-constant time assembly is:\n\n```asm\n    bne  .LBB0_2\n    mvns r3, r3\n.LBB0_2:\n```\n\n### Impact\n\nThe exact impact is unclear, especially since `cmov` clearly warns users that the portable version is best-effort.",
  "id": "GHSA-2gqc-6j2q-83qp",
  "modified": "2026-01-23T21:46:10Z",
  "published": "2026-01-15T18:17:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/utils/security/advisories/GHSA-2gqc-6j2q-83qp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23519"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/utils/commit/55977257e7c82a309d5e8abfdd380a774f0f9778"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/RustCrypto/utils"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0003.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "RustCrypto Utilities cmov: `thumbv6m-none-eabi` compiler emits non-constant time assembly when using `cmovnz`"
}

GHSA-2GR4-4MRG-85RH

Vulnerability from github – Published: 2025-09-29 21:30 – Updated: 2025-09-29 21:30
VLAI
Details

Description: VMware NSX contains a username enumeration vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially leading to unauthorized access attempts.

Impact: Username enumeration → facilitates unauthorized access.

Attack Vector: Remote, unauthenticated.

Severity: Important.

CVSSv3: 7.5 (High).

Acknowledgments: Reported by the National Security Agency.

Affected Products:

  • VMware NSX 9.x.x.x, 4.2.x, 4.1.x, 4.0.x

  • NSX-T 3.x

  • VMware Cloud Foundation (with NSX) 5.x, 4.5.x

Fixed Versions: 

  • NSX 9.0.1.0; 4.2.2.2/4.2.3.1 http://4.2.2.2/4.2.3.1 ; 4.1.2.7; NSX-T 3.2.4.3; CCF async patch (KB88287).

Workarounds: None.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-29T19:15:35Z",
    "severity": "HIGH"
  },
  "details": "Description: VMware NSX contains a username enumeration vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially leading to unauthorized access attempts.\n\n\nImpact: Username enumeration \u2192 facilitates unauthorized access.\n\n\nAttack Vector: Remote, unauthenticated.\n\n\nSeverity: Important.\n\n\nCVSSv3: 7.5 (High).\n\n\nAcknowledgments: Reported by the National Security Agency.\n\n\nAffected Products:\n\n\n\n  *  VMware NSX 9.x.x.x, 4.2.x, 4.1.x, 4.0.x\n\n  *  NSX-T 3.x\n\n  *  VMware Cloud Foundation (with NSX) 5.x, 4.5.x\n\n\n\n\n\n\n\n\n\n\n\n\nFixed Versions:\u00a0\n\n\n\n  *  NSX 9.0.1.0;  4.2.2.2/4.2.3.1 http://4.2.2.2/4.2.3.1 ; 4.1.2.7; NSX-T 3.2.4.3; CCF async patch (KB88287).\n\n\n\n\n\n\nWorkarounds: None.",
  "id": "GHSA-2gr4-4mrg-85rh",
  "modified": "2025-09-29T21:30:26Z",
  "published": "2025-09-29T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41252"
    },
    {
      "type": "WEB",
      "url": "https://https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36150"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GWP-84R9-4MGJ

Vulnerability from github – Published: 2025-01-22 00:33 – Updated: 2025-01-22 18:31
VLAI
Details

In multiple functions of ConnectivityService.java, there is a possible way for a Wi-Fi AP to determine what site a device has connected to through a VPN due to side channel information disclosure. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49734"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T23:15:14Z",
    "severity": "HIGH"
  },
  "details": "In multiple functions of ConnectivityService.java, there is a possible way for a Wi-Fi AP to determine what site a device has connected to through a VPN due to side channel information disclosure. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-2gwp-84r9-4mgj",
  "modified": "2025-01-22T18:31:55Z",
  "published": "2025-01-22T00:33:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49734"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2025-01-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2J9V-8G47-MXH2

Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2023-02-02 21:33
VLAI
Details

A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25657"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-385"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-12T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality.",
  "id": "GHSA-2j9v-8g47-mxh2",
  "modified": "2023-02-02T21:33:40Z",
  "published": "2022-05-24T17:38:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25657"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2021:1169"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2020-25657"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1889823"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1889823,https://gitlab.com/m2crypto/m2crypto/-/issues/285"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2JXX-2X93-2Q2F

Vulnerability from github – Published: 2022-10-19 19:00 – Updated: 2022-12-16 17:24
VLAI
Summary
Non-constant time webhook token comparison in Jenkins Generic Webhook Trigger Plugin
Details

Generic Webhook Trigger Plugin 1.84.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain a valid webhook token.

Generic Webhook Trigger Plugin 1.84.2 uses a constant-time comparison when validating the webhook token.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:generic-webhook-trigger"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.84.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-43412"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-19T22:23:54Z",
    "nvd_published_at": "2022-10-19T16:15:00Z",
    "severity": "LOW"
  },
  "details": "Generic Webhook Trigger Plugin 1.84.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.\n\nThis could potentially allow attackers to use statistical methods to obtain a valid webhook token.\n\nGeneric Webhook Trigger Plugin 1.84.2 uses a constant-time comparison when validating the webhook token.",
  "id": "GHSA-2jxx-2x93-2q2f",
  "modified": "2022-12-16T17:24:07Z",
  "published": "2022-10-19T19:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43412"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/generic-webhook-trigger-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2874"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/10/19/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Non-constant time webhook token comparison in Jenkins Generic Webhook Trigger Plugin"
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering

An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.