CWE-203
AllowedObservable Discrepancy
Abstraction: Base · Status: Incomplete
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.
836 vulnerabilities reference this CWE, most recent first.
GHSA-354F-972F-VPC2
Vulnerability from github – Published: 2022-10-11 12:00 – Updated: 2022-10-11 19:00The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don't mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared.
{
"affected": [],
"aliases": [
"CVE-2022-2891"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-10T21:15:00Z",
"severity": "MODERATE"
},
"details": "The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don\u0027t mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared.",
"id": "GHSA-354f-972f-vpc2",
"modified": "2022-10-11T19:00:27Z",
"published": "2022-10-11T12:00:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2891"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/301b3dce-2584-46ec-92ed-1c0626522120"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-35X5-M3XW-VP7P
Vulnerability from github – Published: 2022-06-09 00:00 – Updated: 2022-06-16 00:00As a result of an observable discrepancy in returned messages, OPSWAT MetaDefender Core (MDCore) before 5.1.2 could allow an authenticated user to enumerate filenames on the server.
{
"affected": [],
"aliases": [
"CVE-2022-32273"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-08T16:15:00Z",
"severity": "MODERATE"
},
"details": "As a result of an observable discrepancy in returned messages, OPSWAT MetaDefender Core (MDCore) before 5.1.2 could allow an authenticated user to enumerate filenames on the server.",
"id": "GHSA-35x5-m3xw-vp7p",
"modified": "2022-06-16T00:00:26Z",
"published": "2022-06-09T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32273"
},
{
"type": "WEB",
"url": "https://docs.opswat.com/mdcore/release-notes"
},
{
"type": "WEB",
"url": "https://opswat.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-36GX-9Q6H-G429
Vulnerability from github – Published: 2023-02-28 23:18 – Updated: 2026-05-29 20:49Impact
We are incorporating the password policies listed in https://github.com/vantage6/vantage6/issues/59. One measure is that we don't let the user know in case of wrong username/password combination if the username actually exists, to prevent that bots can guess usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This way you could still find out which usernames exist.
Patches
Update to 3.8.0+
Workarounds
No
References
https://github.com/vantage6/vantage6/issues/59
For more information
If you have any questions or comments about this advisory: * Email us at vantage6@iknl.nl
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vantage6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39228"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-28T23:18:37Z",
"nvd_published_at": "2023-03-01T17:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nWe are incorporating the password policies listed in https://github.com/vantage6/vantage6/issues/59. One measure is that we don\u0027t let the user know in case of wrong username/password combination if the username actually exists, to prevent that bots can guess usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This way you could still find out which usernames exist.\n\n### Patches\nUpdate to 3.8.0+\n\n### Workarounds\nNo\n\n### References\nhttps://github.com/vantage6/vantage6/issues/59\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [vantage6@iknl.nl](mailto:vantage6@iknl.nl)",
"id": "GHSA-36gx-9q6h-g429",
"modified": "2026-05-29T20:49:19Z",
"published": "2023-02-28T23:18:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-36gx-9q6h-g429"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39228"
},
{
"type": "WEB",
"url": "https://github.com/vantage6/vantage6/issues/59"
},
{
"type": "WEB",
"url": "https://github.com/vantage6/vantage6/pull/281"
},
{
"type": "WEB",
"url": "https://github.com/vantage6/vantage6/commit/ab4381c35d24add06f75d5a8a284321f7a340bd2"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-313.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-52.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/vantage6/vantage6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "vantage6 vulnerable to Observable Response Discrepancy"
}
GHSA-36R6-MM7X-RQMM
Vulnerability from github – Published: 2023-05-08 21:31 – Updated: 2023-11-17 21:30A validation issue was addressed with improved input sanitization. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4, iOS 15.7.4 and iPadOS 15.7.4, macOS Big Sur 11.7.5. An app may be able to disclose kernel memory
{
"affected": [],
"aliases": [
"CVE-2023-28200"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-08T20:15:19Z",
"severity": "MODERATE"
},
"details": "A validation issue was addressed with improved input sanitization. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4, iOS 15.7.4 and iPadOS 15.7.4, macOS Big Sur 11.7.5. An app may be able to disclose kernel memory",
"id": "GHSA-36r6-mm7x-rqmm",
"modified": "2023-11-17T21:30:25Z",
"published": "2023-05-08T21:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28200"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213670"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213673"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213675"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213677"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213843"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3742-G66H-97PC
Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2024-03-21 03:33** DISPUTED ** On Mooltipass Mini devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. NOTE: the vendor's position is that an attack is not "realistically implementable."
{
"affected": [],
"aliases": [
"CVE-2019-14357"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-10T16:15:00Z",
"severity": "LOW"
},
"details": "** DISPUTED ** On Mooltipass Mini devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN. In other words, the side channel is relevant only if the attacker has enough control over the device\u0027s USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. NOTE: the vendor\u0027s position is that an attack is not \"realistically implementable.\"",
"id": "GHSA-3742-g66h-97pc",
"modified": "2024-03-21T03:33:41Z",
"published": "2022-05-24T16:53:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14357"
},
{
"type": "WEB",
"url": "https://github.com/limpkin/mooltipass/blob/master/CVE-2019-14357_statement.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-376V-XGJX-7MFR
Vulnerability from github – Published: 2022-07-15 19:14 – Updated: 2022-07-21 15:57Impact
fastify-bearer-auth does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack.
All versions of fastify-bearer-auth are also affected.
Patches
We released:
- v8.0.1 with a fix for the Fastify v4 line
- v7.0.2 with a fix for the Fastify v3 line
Workarounds
There are no workarounds. Update your dependencies.
References
https://hackerone.com/reports/1633287
For more information
If you have any questions or comments about this advisory: * Open an issue in https://github.com/fastify/fastify-bearer-auth * Email us at hello@matteocollina.com
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fastify-bearer-auth"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.1"
},
{
"last_affected": "6.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fastify/bearer-auth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fastify/bearer-auth"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.0.0"
]
}
],
"aliases": [
"CVE-2022-31142"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-208"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-15T19:14:27Z",
"nvd_published_at": "2022-07-14T19:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nfastify-bearer-auth does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack.\n\nAll versions of fastify-bearer-auth are also affected.\n\n### Patches\n\nWe released:\n\n* v8.0.1 with a fix for the Fastify v4 line\n* v7.0.2 with a fix for the Fastify v3 line\n\n### Workarounds\n\nThere are no workarounds. Update your dependencies.\n\n### References\n\nhttps://hackerone.com/reports/1633287\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [https://github.com/fastify/fastify-bearer-auth](https://github.com/fastify/fastify-bearer-auth)\n* Email us at [hello@matteocollina.com](mailto:hello@matteocollina.com)\n",
"id": "GHSA-376v-xgjx-7mfr",
"modified": "2022-07-21T15:57:26Z",
"published": "2022-07-15T19:14:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31142"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1633287"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/fastify-bearer-auth"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "fastify-bearer-auth vulnerable to Timing Attack Vector"
}
GHSA-379H-2H4C-F6GR
Vulnerability from github – Published: 2022-08-12 00:01 – Updated: 2022-08-14 00:00In LocaleManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-225881167
{
"affected": [],
"aliases": [
"CVE-2022-20251"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-11T15:15:00Z",
"severity": "LOW"
},
"details": "In LocaleManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-225881167",
"id": "GHSA-379h-2h4c-f6gr",
"modified": "2022-08-14T00:00:21Z",
"published": "2022-08-12T00:01:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20251"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-37GV-W6H3-7HM7
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-05-12 15:31In the Linux kernel, the following vulnerability has been resolved:
ipv6: sr: Fix MAC comparison to be constant-time
To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.
{
"affected": [],
"aliases": [
"CVE-2025-39702"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-05T18:15:47Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant time.\nUse the appropriate helper function for this.",
"id": "GHSA-37gv-w6h3-7hm7",
"modified": "2026-05-12T15:31:04Z",
"published": "2025-09-05T18:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39702"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3b348c9c8d2ca2c67559ffd0e258ae7e1107d4f0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3ddd55cf19ed6cc62def5e3af10c2a9df1b861c3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/86b6d34717fe0570afce07ee79b8eeb40341f831"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a458b2902115b26a25d67393b12ddd57d1216aaa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b3967c493799e63f648e9c7b6cb063aa2aed04e7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f7878d47560d61e3f370aca3cebb8f42a55b990a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ff55a452d56490047f5233cc48c5d933f8586884"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-38VR-4P57-8H9G
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2023-02-20 18:30When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
{
"affected": [],
"aliases": [
"CVE-2020-12400"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-08T14:15:00Z",
"severity": "MODERATE"
},
"details": "When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox \u003c 80 and Firefox for Android \u003c 80.",
"id": "GHSA-38vr-4p57-8h9g",
"modified": "2023-02-20T18:30:17Z",
"published": "2022-05-24T17:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12400"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1623116"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00021.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-36"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-39"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-38XM-2FMF-66PQ
Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2021-12-18 00:01In hasManageOngoingCallsPermission of TelecomServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-194105812
{
"affected": [],
"aliases": [
"CVE-2021-0989"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T19:15:00Z",
"severity": "LOW"
},
"details": "In hasManageOngoingCallsPermission of TelecomServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-194105812",
"id": "GHSA-38xm-2fmf-66pq",
"modified": "2021-12-18T00:01:24Z",
"published": "2021-12-16T00:01:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0989"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering
An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.