Common Weakness Enumeration

CWE-203

Allowed

Observable Discrepancy

Abstraction: Base · Status: Incomplete

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

836 vulnerabilities reference this CWE, most recent first.

GHSA-HG2F-7X6W-X2HX

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a "Platypus" attack. NOTE: there is only one logically independent fix: to change the access control for each such interface in Xen.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28368"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-10T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a \"Platypus\" attack. NOTE: there is only one logically independent fix: to change the access control for each such interface in Xen.",
  "id": "GHSA-hg2f-7x6w-x2hx",
  "modified": "2022-05-24T17:34:04Z",
  "published": "2022-05-24T17:34:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28368"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5J66QUUHXH2RR4CNCKQRGVXVSOUFRPDA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XV23EZIMNLJN4YXRRXLQV2ALW6ZEALXV"
    },
    {
      "type": "WEB",
      "url": "https://platypusattack.com"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4804"
    },
    {
      "type": "WEB",
      "url": "https://www.zdnet.com/article/new-platypus-attack-can-steal-data-from-intel-cpus"
    },
    {
      "type": "WEB",
      "url": "https://xenbits.xen.org/xsa/advisory-351.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/11/26/1"
    },
    {
      "type": "WEB",
      "url": "http://xenbits.xen.org/xsa/advisory-351.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HG9M-67MM-7PG3

Vulnerability from github – Published: 2025-05-05 18:51 – Updated: 2025-05-05 22:06
VLAI
Summary
Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields
Details

Summary

{field}.isFilterable access control can be bypassed in update and delete mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields.

Specifically, when a mutation includes a where clause with multiple unique filters (e.g. id and email), Keystone will attempt to match records even if filtering by the latter fields would normally be rejected by field.isFilterable or list.defaultIsFilterable. This can allow malicious actors to infer the presence of a particular field value when a filter is successful in returning a result.

Impact

This affects any project relying on the default or dynamic isFilterable behaviour (at the list or field level) to prevent external users from using the filtering of fields as a discovery mechanism. While this access control is respected during findMany operations, it was not completely enforced during update and delete mutations when accepting more than one unique where values in filters.

This has no impact on projects using isFilterable: false or defaultIsFilterable: false for sensitive fields, or if you have otherwise omitted filtering by these fields from your GraphQL schema. (See workarounds)

Patches

This issue has been patched in @keystone-6/core version 6.5.0.

Workarounds

To mitigate this issue in older versions where patching is not a viable pathway.

  • Set isFilterable: false statically for relevant fields to prevent filtering by them earlier in the access control pipeline (that is, don't use functions)
  • Set {field}.graphql.omit.read: true for relevant fields, which implicitly removes filtering by these fields your GraphQL schema
  • Deny update and delete operations for the relevant lists completely (e.g list({ access: { operation: { update: false, delete: false } }, ... }))
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.4.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@keystone-6/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-203"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-05T18:51:34Z",
    "nvd_published_at": "2025-05-05T19:15:57Z",
    "severity": "LOW"
  },
  "details": "# Summary  \n`{field}.isFilterable` access control can be bypassed in `update` and `delete` mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields.\n\nSpecifically, when a mutation includes a `where` clause with multiple unique filters (e.g. `id` and `email`), Keystone will attempt to match records even if filtering by the latter fields would normally be rejected by `field.isFilterable` or `list.defaultIsFilterable`. This can allow malicious actors to infer the presence of a particular field value when a filter is successful in returning a result.\n\n# Impact  \nThis affects any project relying on the default or dynamic `isFilterable` behaviour (at the list or field level) to prevent external users from using the filtering of fields as a discovery mechanism. While this access control is respected during `findMany` operations, it was not completely enforced during `update` and `delete` mutations when accepting more than one unique `where` values in filters.\n\nThis has no impact on projects using `isFilterable: false` or `defaultIsFilterable: false` for sensitive fields, or if you have otherwise omitted filtering by these fields from your GraphQL schema. (See workarounds)\n\n# Patches  \nThis issue has been patched in `@keystone-6/core` version 6.5.0.\n\n# Workarounds  \nTo mitigate this issue in older versions where patching is not a viable pathway.\n\n- Set `isFilterable: false` statically for relevant fields to prevent filtering by them earlier in the access control pipeline (that is, don\u0027t use functions)\n- Set `{field}.graphql.omit.read: true` for relevant fields, which implicitly removes filtering by these fields your GraphQL schema\n- Deny `update` and `delete` operations for the relevant **lists** completely (e.g `list({ access: { operation: { update: false, delete: false } }, ... })`)",
  "id": "GHSA-hg9m-67mm-7pg3",
  "modified": "2025-05-05T22:06:50Z",
  "published": "2025-05-05T18:51:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-hg9m-67mm-7pg3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46720"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keystonejs/keystone"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields"
}

GHSA-HH28-H22F-8357

Vulnerability from github – Published: 2025-08-08 14:41 – Updated: 2025-08-11 13:56
VLAI
Summary
OpenBao has a Timing Side-Channel in the Userpass Auth Method
Details

Impact

When using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user.

Patches

OpenBao v2.3.2 will patch this issue.

Workarounds

Users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/

References

This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:

  • https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034
  • https://nvd.nist.gov/vuln/detail/CVE-2025-6011

Barring further information, this is also assumed to cover and remediate the following additional vulnerability:

  • https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095
  • https://nvd.nist.gov/vuln/detail/CVE-2025-6010

If this is not the case as further details emerge, a new CVE will be assigned for remediating that. Otherwise, no further CVE will be sought.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "fixed": "2.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20250806193356-4d9b5d3d6486"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54999"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-08T14:41:14Z",
    "nvd_published_at": "2025-08-09T03:15:46Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nWhen using OpenBao\u0027s `userpass` auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user. \n\n### Patches\n\nOpenBao v2.3.2 will patch this issue.\n\n### Workarounds\n\nUsers may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/\n\n### References\n\nThis issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:\n\n- https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034\n- https://nvd.nist.gov/vuln/detail/CVE-2025-6011\n\nBarring further information, this is also assumed to cover and remediate the following additional vulnerability:\n\n- https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095\n- https://nvd.nist.gov/vuln/detail/CVE-2025-6010\n\nIf this is not the case as further details emerge, a new CVE will be assigned for remediating that. Otherwise, no further CVE will be sought.",
  "id": "GHSA-hh28-h22f-8357",
  "modified": "2025-08-11T13:56:40Z",
  "published": "2025-08-08T14:41:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-hh28-h22f-8357"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54999"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6011"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/commit/4d9b5d3d6486ab9fbd5b644173fa0097015d6626"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbao/openbao"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenBao has a Timing Side-Channel in the Userpass Auth Method"
}

GHSA-HHG2-C4P3-H55X

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-25 00:00
VLAI
Details

Observable response discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0089"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-09T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Observable response discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.",
  "id": "GHSA-hhg2-c4p3-h55x",
  "modified": "2022-05-25T00:00:25Z",
  "published": "2022-05-24T19:04:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0089"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H36U6CNREC436W6GYO7QUMJIVEA35SCV"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVA2NY26MMXOODUMYZN5DCU3FXMBMBOB"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202107-30"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4931"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00516.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/06/10/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/06/10/10"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/06/10/11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HHW5-J8RQ-43WG

Vulnerability from github – Published: 2025-01-29 18:31 – Updated: 2025-01-29 18:31
VLAI
Details

IBM Aspera Faspex 5.0.0 through 5.0.10 could disclose sensitive username information due to an observable response discrepancy.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37413"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-29T17:15:26Z",
    "severity": "MODERATE"
  },
  "details": "IBM Aspera Faspex 5.0.0 through 5.0.10 could disclose sensitive username information due to an observable response discrepancy.",
  "id": "GHSA-hhw5-j8rq-43wg",
  "modified": "2025-01-29T18:31:22Z",
  "published": "2025-01-29T18:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37413"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7181814"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJ6R-9Q35-32HF

Vulnerability from github – Published: 2024-01-30 09:30 – Updated: 2024-02-03 00:31
VLAI
Details

An user enumeration vulnerability was found in SEO Panel 4.10.0. This issue occurs during user authentication, where a difference in error messages could allow an attacker to determine if a username is valid or not, enabling a brute-force attack with valid usernames.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22647"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-30T07:15:08Z",
    "severity": "MODERATE"
  },
  "details": "An user enumeration vulnerability was found in SEO Panel 4.10.0. This issue occurs during user authentication, where a difference in error messages could allow an attacker to determine if a username is valid or not, enabling a brute-force attack with valid usernames.",
  "id": "GHSA-hj6r-9q35-32hf",
  "modified": "2024-02-03T00:31:33Z",
  "published": "2024-01-30T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22647"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cassis-sec/CVE/tree/main/2024/CVE-2024-22647"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJC2-4GP6-GJ54

Vulnerability from github – Published: 2026-04-16 06:31 – Updated: 2026-04-16 06:31
VLAI
Details

In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5872"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-16T05:16:12Z",
    "severity": "MODERATE"
  },
  "details": "In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint.",
  "id": "GHSA-hjc2-4gp6-gj54",
  "modified": "2026-04-16T06:31:23Z",
  "published": "2026-04-16T06:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5872"
    },
    {
      "type": "WEB",
      "url": "https://certvde.com/de/advisories/VDE-2023-045"
    },
    {
      "type": "WEB",
      "url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-045.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HMG4-WWM5-P999

Vulnerability from github – Published: 2025-01-21 21:21 – Updated: 2025-04-17 12:43
VLAI
Summary
Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes
Details

Impact

Based on an analysis of response codes and timing of Umbraco 14+ management API responses, it's possible to determine whether an account exists.

Patches

Patched in 14.3.2 and 15.1.2.

Workarounds

None available.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "14.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0.0"
            },
            {
              "fixed": "15.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-203"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-21T21:21:30Z",
    "nvd_published_at": "2025-01-21T16:15:14Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nBased on an analysis of response codes and timing of Umbraco 14+ management API responses, it\u0027s possible to determine whether an account exists.\n\n### Patches\n\nPatched in 14.3.2 and 15.1.2.\n\n### Workarounds\n\nNone available.",
  "id": "GHSA-hmg4-wwm5-p999",
  "modified": "2025-04-17T12:43:18Z",
  "published": "2025-01-21T21:21:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hmg4-wwm5-p999"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24011"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/commit/559c6c9f312df1d6eb1bde82c4b81c0896da6382"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/commit/839b6816f2ae3e5f54459a0f09dad6b17e2d1e07"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco-CMS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes "
}

GHSA-HMWV-M7J7-4RFH

Vulnerability from github – Published: 2025-01-31 18:31 – Updated: 2025-01-31 18:31
VLAI
Details

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition EBICS server could allow an authenticated user to obtain sensitive filename information due to an observable discrepancy.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45089"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-31T16:15:34Z",
    "severity": "MODERATE"
  },
  "details": "IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition EBICS server could allow an authenticated user to obtain sensitive filename information due to an observable discrepancy.",
  "id": "GHSA-hmwv-m7j7-4rfh",
  "modified": "2025-01-31T18:31:07Z",
  "published": "2025-01-31T18:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45089"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7182063"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HPPH-RX2X-HXC5

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43
VLAI
Details

Side-channel information leakage in autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21181"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-09T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Side-channel information leakage in autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.",
  "id": "GHSA-hpph-rx2x-hxc5",
  "modified": "2022-05-24T17:43:58Z",
  "published": "2022-05-24T17:43:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21181"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1182767"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBT54RKAE5XLMWSHLVUKJ7T2XHHYMXLH"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FE5SIKEVYTMDCC5OSXGOM2KRPYLHYMQX"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LCIDZ77XUDMB2EBPPWCQXPEIJERDNSNT"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202104-08"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4886"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering

An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.