CWE-203
AllowedObservable Discrepancy
Abstraction: Base · Status: Incomplete
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.
836 vulnerabilities reference this CWE, most recent first.
GHSA-HG2F-7X6W-X2HX
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a "Platypus" attack. NOTE: there is only one logically independent fix: to change the access control for each such interface in Xen.
{
"affected": [],
"aliases": [
"CVE-2020-28368"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-10T19:15:00Z",
"severity": "MODERATE"
},
"details": "Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a \"Platypus\" attack. NOTE: there is only one logically independent fix: to change the access control for each such interface in Xen.",
"id": "GHSA-hg2f-7x6w-x2hx",
"modified": "2022-05-24T17:34:04Z",
"published": "2022-05-24T17:34:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28368"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5J66QUUHXH2RR4CNCKQRGVXVSOUFRPDA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XV23EZIMNLJN4YXRRXLQV2ALW6ZEALXV"
},
{
"type": "WEB",
"url": "https://platypusattack.com"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4804"
},
{
"type": "WEB",
"url": "https://www.zdnet.com/article/new-platypus-attack-can-steal-data-from-intel-cpus"
},
{
"type": "WEB",
"url": "https://xenbits.xen.org/xsa/advisory-351.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/11/26/1"
},
{
"type": "WEB",
"url": "http://xenbits.xen.org/xsa/advisory-351.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HG9M-67MM-7PG3
Vulnerability from github – Published: 2025-05-05 18:51 – Updated: 2025-05-05 22:06Summary
{field}.isFilterable access control can be bypassed in update and delete mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields.
Specifically, when a mutation includes a where clause with multiple unique filters (e.g. id and email), Keystone will attempt to match records even if filtering by the latter fields would normally be rejected by field.isFilterable or list.defaultIsFilterable. This can allow malicious actors to infer the presence of a particular field value when a filter is successful in returning a result.
Impact
This affects any project relying on the default or dynamic isFilterable behaviour (at the list or field level) to prevent external users from using the filtering of fields as a discovery mechanism. While this access control is respected during findMany operations, it was not completely enforced during update and delete mutations when accepting more than one unique where values in filters.
This has no impact on projects using isFilterable: false or defaultIsFilterable: false for sensitive fields, or if you have otherwise omitted filtering by these fields from your GraphQL schema. (See workarounds)
Patches
This issue has been patched in @keystone-6/core version 6.5.0.
Workarounds
To mitigate this issue in older versions where patching is not a viable pathway.
- Set
isFilterable: falsestatically for relevant fields to prevent filtering by them earlier in the access control pipeline (that is, don't use functions) - Set
{field}.graphql.omit.read: truefor relevant fields, which implicitly removes filtering by these fields your GraphQL schema - Deny
updateanddeleteoperations for the relevant lists completely (e.glist({ access: { operation: { update: false, delete: false } }, ... }))
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.4.0"
},
"package": {
"ecosystem": "npm",
"name": "@keystone-6/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-46720"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-203"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-05T18:51:34Z",
"nvd_published_at": "2025-05-05T19:15:57Z",
"severity": "LOW"
},
"details": "# Summary \n`{field}.isFilterable` access control can be bypassed in `update` and `delete` mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields.\n\nSpecifically, when a mutation includes a `where` clause with multiple unique filters (e.g. `id` and `email`), Keystone will attempt to match records even if filtering by the latter fields would normally be rejected by `field.isFilterable` or `list.defaultIsFilterable`. This can allow malicious actors to infer the presence of a particular field value when a filter is successful in returning a result.\n\n# Impact \nThis affects any project relying on the default or dynamic `isFilterable` behaviour (at the list or field level) to prevent external users from using the filtering of fields as a discovery mechanism. While this access control is respected during `findMany` operations, it was not completely enforced during `update` and `delete` mutations when accepting more than one unique `where` values in filters.\n\nThis has no impact on projects using `isFilterable: false` or `defaultIsFilterable: false` for sensitive fields, or if you have otherwise omitted filtering by these fields from your GraphQL schema. (See workarounds)\n\n# Patches \nThis issue has been patched in `@keystone-6/core` version 6.5.0.\n\n# Workarounds \nTo mitigate this issue in older versions where patching is not a viable pathway.\n\n- Set `isFilterable: false` statically for relevant fields to prevent filtering by them earlier in the access control pipeline (that is, don\u0027t use functions)\n- Set `{field}.graphql.omit.read: true` for relevant fields, which implicitly removes filtering by these fields your GraphQL schema\n- Deny `update` and `delete` operations for the relevant **lists** completely (e.g `list({ access: { operation: { update: false, delete: false } }, ... })`)",
"id": "GHSA-hg9m-67mm-7pg3",
"modified": "2025-05-05T22:06:50Z",
"published": "2025-05-05T18:51:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-hg9m-67mm-7pg3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46720"
},
{
"type": "PACKAGE",
"url": "https://github.com/keystonejs/keystone"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields"
}
GHSA-HH28-H22F-8357
Vulnerability from github – Published: 2025-08-08 14:41 – Updated: 2025-08-11 13:56Impact
When using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user.
Patches
OpenBao v2.3.2 will patch this issue.
Workarounds
Users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/
References
This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:
- https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034
- https://nvd.nist.gov/vuln/detail/CVE-2025-6011
Barring further information, this is also assumed to cover and remediate the following additional vulnerability:
- https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095
- https://nvd.nist.gov/vuln/detail/CVE-2025-6010
If this is not the case as further details emerge, a new CVE will be assigned for remediating that. Otherwise, no further CVE will be sought.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0"
},
{
"fixed": "2.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20250806193356-4d9b5d3d6486"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54999"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-08T14:41:14Z",
"nvd_published_at": "2025-08-09T03:15:46Z",
"severity": "LOW"
},
"details": "### Impact\n\nWhen using OpenBao\u0027s `userpass` auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user. \n\n### Patches\n\nOpenBao v2.3.2 will patch this issue.\n\n### Workarounds\n\nUsers may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/\n\n### References\n\nThis issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:\n\n- https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034\n- https://nvd.nist.gov/vuln/detail/CVE-2025-6011\n\nBarring further information, this is also assumed to cover and remediate the following additional vulnerability:\n\n- https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095\n- https://nvd.nist.gov/vuln/detail/CVE-2025-6010\n\nIf this is not the case as further details emerge, a new CVE will be assigned for remediating that. Otherwise, no further CVE will be sought.",
"id": "GHSA-hh28-h22f-8357",
"modified": "2025-08-11T13:56:40Z",
"published": "2025-08-08T14:41:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-hh28-h22f-8357"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54999"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6011"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/commit/4d9b5d3d6486ab9fbd5b644173fa0097015d6626"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbao/openbao"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenBao has a Timing Side-Channel in the Userpass Auth Method"
}
GHSA-HHG2-C4P3-H55X
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-25 00:00Observable response discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2021-0089"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-09T20:15:00Z",
"severity": "MODERATE"
},
"details": "Observable response discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.",
"id": "GHSA-hhg2-c4p3-h55x",
"modified": "2022-05-25T00:00:25Z",
"published": "2022-05-24T19:04:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0089"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H36U6CNREC436W6GYO7QUMJIVEA35SCV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVA2NY26MMXOODUMYZN5DCU3FXMBMBOB"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-30"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4931"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00516.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/06/10/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/06/10/10"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/06/10/11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HHW5-J8RQ-43WG
Vulnerability from github – Published: 2025-01-29 18:31 – Updated: 2025-01-29 18:31IBM Aspera Faspex 5.0.0 through 5.0.10 could disclose sensitive username information due to an observable response discrepancy.
{
"affected": [],
"aliases": [
"CVE-2023-37413"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-29T17:15:26Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Faspex 5.0.0 through 5.0.10 could disclose sensitive username information due to an observable response discrepancy.",
"id": "GHSA-hhw5-j8rq-43wg",
"modified": "2025-01-29T18:31:22Z",
"published": "2025-01-29T18:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37413"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7181814"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HJ6R-9Q35-32HF
Vulnerability from github – Published: 2024-01-30 09:30 – Updated: 2024-02-03 00:31An user enumeration vulnerability was found in SEO Panel 4.10.0. This issue occurs during user authentication, where a difference in error messages could allow an attacker to determine if a username is valid or not, enabling a brute-force attack with valid usernames.
{
"affected": [],
"aliases": [
"CVE-2024-22647"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-30T07:15:08Z",
"severity": "MODERATE"
},
"details": "An user enumeration vulnerability was found in SEO Panel 4.10.0. This issue occurs during user authentication, where a difference in error messages could allow an attacker to determine if a username is valid or not, enabling a brute-force attack with valid usernames.",
"id": "GHSA-hj6r-9q35-32hf",
"modified": "2024-02-03T00:31:33Z",
"published": "2024-01-30T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22647"
},
{
"type": "WEB",
"url": "https://github.com/cassis-sec/CVE/tree/main/2024/CVE-2024-22647"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HJC2-4GP6-GJ54
Vulnerability from github – Published: 2026-04-16 06:31 – Updated: 2026-04-16 06:31In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint.
{
"affected": [],
"aliases": [
"CVE-2023-5872"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-16T05:16:12Z",
"severity": "MODERATE"
},
"details": "In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint.",
"id": "GHSA-hjc2-4gp6-gj54",
"modified": "2026-04-16T06:31:23Z",
"published": "2026-04-16T06:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5872"
},
{
"type": "WEB",
"url": "https://certvde.com/de/advisories/VDE-2023-045"
},
{
"type": "WEB",
"url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-045.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HMG4-WWM5-P999
Vulnerability from github – Published: 2025-01-21 21:21 – Updated: 2025-04-17 12:43Impact
Based on an analysis of response codes and timing of Umbraco 14+ management API responses, it's possible to determine whether an account exists.
Patches
Patched in 14.3.2 and 15.1.2.
Workarounds
None available.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.Cms"
},
"ranges": [
{
"events": [
{
"introduced": "14.0.0"
},
{
"fixed": "14.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.Cms"
},
"ranges": [
{
"events": [
{
"introduced": "15.0.0"
},
{
"fixed": "15.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24011"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-203"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-21T21:21:30Z",
"nvd_published_at": "2025-01-21T16:15:14Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nBased on an analysis of response codes and timing of Umbraco 14+ management API responses, it\u0027s possible to determine whether an account exists.\n\n### Patches\n\nPatched in 14.3.2 and 15.1.2.\n\n### Workarounds\n\nNone available.",
"id": "GHSA-hmg4-wwm5-p999",
"modified": "2025-04-17T12:43:18Z",
"published": "2025-01-21T21:21:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hmg4-wwm5-p999"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24011"
},
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/commit/559c6c9f312df1d6eb1bde82c4b81c0896da6382"
},
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/commit/839b6816f2ae3e5f54459a0f09dad6b17e2d1e07"
},
{
"type": "PACKAGE",
"url": "https://github.com/umbraco/Umbraco-CMS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes "
}
GHSA-HMWV-M7J7-4RFH
Vulnerability from github – Published: 2025-01-31 18:31 – Updated: 2025-01-31 18:31IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition EBICS server could allow an authenticated user to obtain sensitive filename information due to an observable discrepancy.
{
"affected": [],
"aliases": [
"CVE-2024-45089"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-31T16:15:34Z",
"severity": "MODERATE"
},
"details": "IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition EBICS server could allow an authenticated user to obtain sensitive filename information due to an observable discrepancy.",
"id": "GHSA-hmwv-m7j7-4rfh",
"modified": "2025-01-31T18:31:07Z",
"published": "2025-01-31T18:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45089"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7182063"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HPPH-RX2X-HXC5
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43Side-channel information leakage in autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-21181"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-09T18:15:00Z",
"severity": "MODERATE"
},
"details": "Side-channel information leakage in autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.",
"id": "GHSA-hpph-rx2x-hxc5",
"modified": "2022-05-24T17:43:58Z",
"published": "2022-05-24T17:43:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21181"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1182767"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBT54RKAE5XLMWSHLVUKJ7T2XHHYMXLH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FE5SIKEVYTMDCC5OSXGOM2KRPYLHYMQX"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LCIDZ77XUDMB2EBPPWCQXPEIJERDNSNT"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202104-08"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4886"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering
An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.