Common Weakness Enumeration

CWE-203

Allowed

Observable Discrepancy

Abstraction: Base · Status: Incomplete

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

836 vulnerabilities reference this CWE, most recent first.

GHSA-779J-V68W-458W

Vulnerability from github – Published: 2022-09-25 00:00 – Updated: 2022-09-28 00:00
VLAI
Details

An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32218"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-23T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability exists in Rocket.Chat \u003cv5, \u003cv4.8.2 and \u003cv4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries.",
  "id": "GHSA-779j-v68w-458w",
  "modified": "2022-09-28T00:00:24Z",
  "published": "2022-09-25T00:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32218"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1406953"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-77MP-CM2P-44GJ

Vulnerability from github – Published: 2023-06-02 18:30 – Updated: 2024-04-04 04:30
VLAI
Details

When dragging and dropping an image cross-origin, the image's size could potentially be leaked. This behavior was shipped in 109 and caused web compatibility problems as well as this security concern, so the behavior was disabled until further review. This vulnerability affects Firefox < 110.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25741"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-02T17:15:11Z",
    "severity": "MODERATE"
  },
  "details": "When dragging and dropping an image cross-origin, the image\u0027s size could potentially be leaked. This behavior was shipped in 109 and caused web compatibility problems as well as this security concern, so the behavior was disabled until further review. This vulnerability affects Firefox \u003c 110.",
  "id": "GHSA-77mp-cm2p-44gj",
  "modified": "2024-04-04T04:30:08Z",
  "published": "2023-06-02T18:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25741"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1437126"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1812611"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1813376"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2023-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-78G4-C5R9-6GH7

Vulnerability from github – Published: 2023-07-05 12:30 – Updated: 2024-04-04 05:23
VLAI
Details

TN-5900 Series version 3.3 and prior versions is vulnearble to user enumeration vulnerability. The vulnerability may allow a remote attacker to determine whether a user is valid during password recovery through the web login page and enable a brute force attack with valid users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3336"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-05T10:15:10Z",
    "severity": "MODERATE"
  },
  "details": "TN-5900 Series version 3.3 and prior versions is vulnearble to user enumeration vulnerability. The vulnerability may allow a remote attacker to determine whether a user is valid during password recovery through the web login page and enable a brute force attack with valid users.\n\n",
  "id": "GHSA-78g4-c5r9-6gh7",
  "modified": "2024-04-04T05:23:23Z",
  "published": "2023-07-05T12:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3336"
    },
    {
      "type": "WEB",
      "url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230401-tn-5900-series-user-enumeration-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-78JJ-CHHM-HM82

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

Observable timing discrepancy in Intel(R) IPP before version 2020 update 1 may allow authorized user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-09T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Observable timing discrepancy in Intel(R) IPP before version 2020 update 1 may allow authorized user to potentially enable information disclosure via local access.",
  "id": "GHSA-78jj-chhm-hm82",
  "modified": "2022-05-24T19:04:26Z",
  "published": "2022-05-24T19:04:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0001"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00477.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7953-VWV9-3RQV

Vulnerability from github – Published: 2023-10-10 12:32 – Updated: 2024-04-04 08:28
VLAI
Details

A vulnerability has been identified in Mendix Forgot Password (Mendix 10 compatible) (All versions < V5.4.0), Mendix Forgot Password (Mendix 7 compatible) (All versions < V3.7.3), Mendix Forgot Password (Mendix 8 compatible) (All versions < V4.1.3), Mendix Forgot Password (Mendix 9 compatible) (All versions < V5.4.0). Applications using the affected module are vulnerable to user enumeration due to distinguishable responses. This could allow an unauthenticated remote attacker to determine if a user is valid or not, enabling a brute force attack with valid users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-43623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-10T11:15:12Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in Mendix Forgot Password (Mendix 10 compatible) (All versions \u003c V5.4.0), Mendix Forgot Password (Mendix 7 compatible) (All versions \u003c V3.7.3), Mendix Forgot Password (Mendix 8 compatible) (All versions \u003c V4.1.3), Mendix Forgot Password (Mendix 9 compatible) (All versions \u003c V5.4.0). Applications using the affected module are vulnerable to user enumeration due to distinguishable responses. This could allow an unauthenticated remote attacker to determine if a user is valid or not, enabling a brute force attack with valid users.",
  "id": "GHSA-7953-vwv9-3rqv",
  "modified": "2024-04-04T08:28:01Z",
  "published": "2023-10-10T12:32:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43623"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-295483.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7C2M-F7CW-58XJ

Vulnerability from github – Published: 2023-04-11 12:30 – Updated: 2023-04-11 12:30
VLAI
Details

A vulnerability has been identified in Mendix Forgot Password (Mendix 7 compatible) (All versions < V3.7.1), Mendix Forgot Password (Mendix 8 compatible) (All versions < V4.1.1), Mendix Forgot Password (Mendix 9 compatible) (All versions < V5.1.1). The affected versions of the module contain an observable response discrepancy issue that could allow an attacker to retrieve sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27464"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-11T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in Mendix Forgot Password (Mendix 7 compatible) (All versions \u003c V3.7.1), Mendix Forgot Password (Mendix 8 compatible) (All versions \u003c V4.1.1), Mendix Forgot Password (Mendix 9 compatible) (All versions \u003c V5.1.1). The affected versions of the module contain an observable response discrepancy issue that could allow an attacker to retrieve sensitive information.",
  "id": "GHSA-7c2m-f7cw-58xj",
  "modified": "2023-04-11T12:30:26Z",
  "published": "2023-04-11T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27464"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-699404.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7CQG-8449-RMFV

Vulnerability from github – Published: 2021-08-25 21:01 – Updated: 2021-07-27 15:21
VLAI
Summary
Observable Discrepancy in libsecp256k1-rs
Details

A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "libsecp256k1-rs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-20399"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-27T15:21:02Z",
    "nvd_published_at": "2020-01-23T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.",
  "id": "GHSA-7cqg-8449-rmfv",
  "modified": "2021-07-27T15:21:02Z",
  "published": "2021-08-25T21:01:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20399"
    },
    {
      "type": "WEB",
      "url": "https://github.com/paritytech/libsecp256k1/commit/11ba23a9766a5079918cd9f515bc100bc8164b50"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0156.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Observable Discrepancy in libsecp256k1-rs"
}

GHSA-7FJW-2MVJ-PJVV

Vulnerability from github – Published: 2023-10-30 18:30 – Updated: 2023-11-06 18:30
VLAI
Details

In Package Manager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21299"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-30T17:15:47Z",
    "severity": "MODERATE"
  },
  "details": "In Package Manager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-7fjw-2mvj-pjvv",
  "modified": "2023-11-06T18:30:17Z",
  "published": "2023-10-30T18:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21299"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/docs/security/bulletin/android-14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7H2G-P6HQ-VH75

Vulnerability from github – Published: 2026-04-01 18:36 – Updated: 2026-04-01 18:36
VLAI
Details

The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behavior in newer versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-67806"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-01T16:23:48Z",
    "severity": "LOW"
  },
  "details": "The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behavior in newer versions.",
  "id": "GHSA-7h2g-p6hq-vh75",
  "modified": "2026-04-01T18:36:36Z",
  "published": "2026-04-01T18:36:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67806"
    },
    {
      "type": "WEB",
      "url": "https://pastebin.com/Tk4LgMG2"
    },
    {
      "type": "WEB",
      "url": "https://www.sagedpw.at"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7HM5-8CP5-VQP5

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

Observable timing discrepancy in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24512"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-09T19:15:00Z",
    "severity": "LOW"
  },
  "details": "Observable timing discrepancy in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.",
  "id": "GHSA-7hm5-8cp5-vqp5",
  "modified": "2022-05-24T19:04:29Z",
  "published": "2022-05-24T19:04:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24512"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-309571.pdf"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210611-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4934"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering

An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.