CWE-203
AllowedObservable Discrepancy
Abstraction: Base · Status: Incomplete
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.
836 vulnerabilities reference this CWE, most recent first.
GHSA-4M5R-PMX8-V22V
Vulnerability from github – Published: 2022-08-12 00:01 – Updated: 2022-08-14 00:00In Telephony, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-231986212
{
"affected": [],
"aliases": [
"CVE-2022-20242"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "In Telephony, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-231986212",
"id": "GHSA-4m5r-pmx8-v22v",
"modified": "2022-08-14T00:00:21Z",
"published": "2022-08-12T00:01:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20242"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4MGQ-9QGW-GHCX
Vulnerability from github – Published: 2023-02-17 00:30 – Updated: 2025-03-19 18:30The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites.
{
"affected": [],
"aliases": [
"CVE-2020-12413"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-16T22:15:00Z",
"severity": "MODERATE"
},
"details": "The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites.",
"id": "GHSA-4mgq-9qgw-ghcx",
"modified": "2025-03-19T18:30:37Z",
"published": "2023-02-17T00:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12413"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2020-12413"
},
{
"type": "WEB",
"url": "https://raccoon-attack.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4MMC-4H75-WXF9
Vulnerability from github – Published: 2023-10-30 18:30 – Updated: 2023-11-06 18:30In Permission, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2023-21296"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-30T17:15:47Z",
"severity": "MODERATE"
},
"details": "In Permission, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.",
"id": "GHSA-4mmc-4h75-wxf9",
"modified": "2023-11-06T18:30:17Z",
"published": "2023-10-30T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21296"
},
{
"type": "WEB",
"url": "https://source.android.com/docs/security/bulletin/android-14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4P72-6JXP-VMQX
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 18:31Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
{
"affected": [],
"aliases": [
"CVE-2022-45403"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "MODERATE"
},
"details": "Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file. This vulnerability affects Firefox ESR \u003c 102.5, Thunderbird \u003c 102.5, and Firefox \u003c 107.",
"id": "GHSA-4p72-6jxp-vmqx",
"modified": "2025-04-15T18:31:34Z",
"published": "2022-12-22T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45403"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1762078"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-47"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-48"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-49"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4P9J-MPXW-9W9G
Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-04-04 00:00Proxmox VE prior to 3.2: 'AccessControl.pm' User Enumeration Vulnerability
{
"affected": [],
"aliases": [
"CVE-2014-4156"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-27T15:15:00Z",
"severity": "MODERATE"
},
"details": "Proxmox VE prior to 3.2: \u0027AccessControl.pm\u0027 User Enumeration Vulnerability",
"id": "GHSA-4p9j-mpxw-9w9g",
"modified": "2024-04-04T00:00:56Z",
"published": "2022-05-17T19:57:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-4156"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/06/17/16"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/68028"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4PP6-M86C-J4GJ
Vulnerability from github – Published: 2022-05-14 02:54 – Updated: 2022-05-14 02:54The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
{
"affected": [],
"aliases": [
"CVE-2013-1620"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-02-08T19:55:00Z",
"severity": "MODERATE"
},
"details": "The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.",
"id": "GHSA-4pp6-m86c-j4gj",
"modified": "2022-05-14T02:54:26Z",
"published": "2022-05-14T02:54:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1620"
},
{
"type": "WEB",
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10761"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00009.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00010.html"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2013/02/05/24"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1135.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1144.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2014/Dec/23"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-201406-19.xml"
},
{
"type": "WEB",
"url": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/57777"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/64758"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1763-1"
},
{
"type": "WEB",
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4QGJ-3GQ9-2CHF
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2022-05-24 16:57RSA BSAFE Crypto-C Micro Edition, versions prior to 4.0.5.3 (in 4.0.x) and versions prior to 4.1.3.3 (in 4.1.x), and RSA Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) versions prior to 4.1.6.1 (in 4.1.x) and versions prior to 4.3.3 (4.2.x and 4.3.x) are vulnerable to an Information Exposure Through Timing Discrepancy. A malicious remote user could potentially exploit this vulnerability to extract information leaving data at risk of exposure.
{
"affected": [],
"aliases": [
"CVE-2019-3732"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-30T22:15:00Z",
"severity": "MODERATE"
},
"details": "RSA BSAFE Crypto-C Micro Edition, versions prior to 4.0.5.3 (in 4.0.x) and versions prior to 4.1.3.3 (in 4.1.x), and RSA Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) versions prior to 4.1.6.1 (in 4.1.x) and versions prior to 4.3.3 (4.2.x and 4.3.x) are vulnerable to an Information Exposure Through Timing Discrepancy. A malicious remote user could potentially exploit this vulnerability to extract information leaving data at risk of exposure.",
"id": "GHSA-4qgj-3gq9-2chf",
"modified": "2022-05-24T16:57:32Z",
"published": "2022-05-24T16:57:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3732"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000194054"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/security/en-us/details/DOC-107000/DSA-2019-079-RSA-BSAFE\u0026#174;-Crypto-C-Micro-Edition-and-Micro-Edition-Suite-Multiple-Security-Vulnerab"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4RQG-F28V-3GVX
Vulnerability from github – Published: 2022-03-09 00:00 – Updated: 2025-08-12 12:30A vulnerability has been identified in RUGGEDCOM ROS M2100 (All versions < V5.6.0), RUGGEDCOM ROS RMC8388 devices (All versions < V5.6.0), RUGGEDCOM ROS RS416v2 (All versions < V5.6.0), RUGGEDCOM ROS RS900G (All versions < V5.6.0), RUGGEDCOM ROS RS900G (32M) (All versions < V5.6.0), RUGGEDCOM ROS RSG2100 (32M) V5.X (All versions < V5.6.0), RUGGEDCOM ROS RSG2100P (All versions < V5.6.0), RUGGEDCOM ROS RSG2100P (32M) V5.X (All versions < V5.6.0), RUGGEDCOM ROS RSG2288 V5.X (All versions < V5.6.0), RUGGEDCOM ROS RSG2300 V5.X (All versions < V5.6.0), RUGGEDCOM ROS RSG2300P V5.X (All versions < V5.6.0), RUGGEDCOM ROS RSG2488 V5.X (All versions < V5.6.0), RUGGEDCOM ROS RSG900 V5.X (All versions < V5.6.0), RUGGEDCOM ROS RSG920P V5.X (All versions < V5.6.0), RUGGEDCOM ROS RSL910 (All versions < V5.6.0), RUGGEDCOM ROS RST2228 (All versions < V5.6.0), RUGGEDCOM ROS RST916C (All versions < V5.6.0), RUGGEDCOM ROS RST916P (All versions < V5.6.0). A timing attack in a third-party component could make the retrieval of the private key possible, used for encryption of sensitive data. If a threat actor were to exploit this, the data integrity and security could be compromised.
{
"affected": [],
"aliases": [
"CVE-2021-42016"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-208"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-08T12:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in RUGGEDCOM ROS M2100 (All versions \u003c V5.6.0), RUGGEDCOM ROS RMC8388 devices (All versions \u003c V5.6.0), RUGGEDCOM ROS RS416v2 (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900G (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900G (32M) (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2100 (32M) V5.X (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2100P (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2100P (32M) V5.X (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2288 V5.X (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2300 V5.X (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2300P V5.X (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2488 V5.X (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG900 V5.X (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG920P V5.X (All versions \u003c V5.6.0), RUGGEDCOM ROS RSL910 (All versions \u003c V5.6.0), RUGGEDCOM ROS RST2228 (All versions \u003c V5.6.0), RUGGEDCOM ROS RST916C (All versions \u003c V5.6.0), RUGGEDCOM ROS RST916P (All versions \u003c V5.6.0). A timing attack in a third-party component could make the retrieval of the private key possible, used for encryption of sensitive data. If a threat actor were to exploit this, the data integrity and security could be compromised.",
"id": "GHSA-4rqg-f28v-3gvx",
"modified": "2025-08-12T12:30:31Z",
"published": "2022-03-09T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42016"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-256353.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-256353.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4V4G-726H-XVFV
Vulnerability from github – Published: 2021-04-19 14:59 – Updated: 2023-03-17 17:49Impact
AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block).
Patches
A patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are >=3.11.4.
Users should upgrade to ^3.11.4.
Credits
Thanks to Morgan Brown of Microsoft for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "jose-node-esm-runtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.11.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29445"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-208",
"CWE-696"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-16T23:00:41Z",
"nvd_published_at": "2021-04-16T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\n[AES_CBC_HMAC_SHA2 Algorithm](https://tools.ietf.org/html/rfc7518#section-5.2) (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block).\n\n### Patches\n\nA patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `\u003e=3.11.4`.\n\nUsers should upgrade to `^3.11.4`.\n\n### Credits\nThanks to Morgan Brown of Microsoft for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory.",
"id": "GHSA-4v4g-726h-xvfv",
"modified": "2023-03-17T17:49:46Z",
"published": "2021-04-19T14:59:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/panva/jose/security/advisories/GHSA-4v4g-726h-xvfv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29445"
},
{
"type": "PACKAGE",
"url": "https://github.com/panva/jose"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/jose-node-esm-runtime"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime"
}
GHSA-4VPC-5JX4-CFQG
Vulnerability from github – Published: 2019-12-02 18:09 – Updated: 2021-07-28 15:49An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security-http"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.2.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security-http"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0"
},
{
"fixed": "4.3.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.2.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0"
},
{
"fixed": "4.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-18886"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-203"
],
"github_reviewed": true,
"github_reviewed_at": "2019-12-01T19:47:26Z",
"nvd_published_at": "2019-11-21T18:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.",
"id": "GHSA-4vpc-5jx4-cfqg",
"modified": "2021-07-28T15:49:16Z",
"published": "2019-12-02T18:09:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18886"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2019-18886.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18886.yaml"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/releases/tag/v4.3.8"
},
{
"type": "WEB",
"url": "https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality"
},
{
"type": "WEB",
"url": "https://symfony.com/blog/symfony-4-3-8-released"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2019-18886"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "User enumeration leak using switch user functionality in Symfony"
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering
An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.