Common Weakness Enumeration

CWE-203

Allowed

Observable Discrepancy

Abstraction: Base · Status: Incomplete

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

836 vulnerabilities reference this CWE, most recent first.

GHSA-2M7M-JHX5-8CRH

Vulnerability from github – Published: 2024-05-04 15:30 – Updated: 2024-05-04 15:30
VLAI
Details

IBM Aspera Orchestrator 4.0.1 could allow a remote attacker to enumerate usernames due to observable response discrepancies. IBM X-Force ID: 248545.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27283"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-04T14:16:01Z",
    "severity": "MODERATE"
  },
  "details": "IBM Aspera Orchestrator 4.0.1 could allow a remote attacker to enumerate usernames due to observable response discrepancies.  IBM X-Force ID:  248545.",
  "id": "GHSA-2m7m-jhx5-8crh",
  "modified": "2024-05-04T15:30:31Z",
  "published": "2024-05-04T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27283"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/248545"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7150191"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2Q5C-QW9C-FMVQ

Vulnerability from github – Published: 2023-03-23 19:49 – Updated: 2023-03-27 22:11
VLAI
Summary
Argo CD authenticated but unauthorized users may enumerate Application names via the API
Details

Impact

All versions of Argo CD starting with v0.5.0 are vulnerable to an information disclosure bug allowing unauthorized users to enumerate application names by inspecting API error messages. An attacker could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges (social engineering).

Many Argo CD API endpoints accept an application name as the only parameter. Since Argo CD RBAC requires both the application name and its configured project name (and, if apps-in-any-namespace is enabled, the application's namespace), Argo CD fetches the requested application before performing the RBAC check. If the application does not exist, the API returns a "not found". If the application does exist, and the user does not have access, the API returns an "unauthorized" error. By trial and error, an attacker can infer which applications exist and which do not.

Note that application resources are not fetched for API calls from unauthenticated users. If your Argo CD instance is accessible from the public internet, unauthenticated users will not be able to cause Argo CD to make Kubernetes API calls.

The patch changes API behavior to return "unauthorized" both when the application is missing and when the user is not authorized to access it. This change in API behavior may impact API clients. Check your code to make sure it will handle the new API behavior properly.

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

  • v2.6.7
  • v2.5.16
  • v2.4.28

Workarounds

There are no workarounds besides upgrading.

Credits

Thank you to bean.zhang of HIT-IDS ChunkL Team who discovered the issue and reported it confidentially according to our guidelines.

For more information

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.0"
            },
            {
              "last_affected": "1.8.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-41354"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-23T19:49:11Z",
    "nvd_published_at": "2023-03-27T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nAll versions of Argo CD starting with v0.5.0 are vulnerable to an information disclosure bug allowing unauthorized users to enumerate application names by inspecting API error messages. An attacker could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges (social engineering).\n\nMany Argo CD API endpoints accept an application name as the only parameter. Since Argo CD RBAC requires both the application name and its configured project name (and, if apps-in-any-namespace is enabled, the application\u0027s namespace), Argo CD fetches the requested application before performing the RBAC check. If the application does not exist, the API returns a \"not found\". If the application does exist, and the user does not have access, the API returns an \"unauthorized\" error. By trial and error, an attacker can infer which applications exist and which do not.\n\nNote that application resources are not fetched for API calls from _unauthenticated_ users. If your Argo CD instance is accessible from the public internet, unauthenticated users will not be able to cause Argo CD to make Kubernetes API calls.\n\nThe patch changes API behavior to return \"unauthorized\" both when the application is missing and when the user is not authorized to access it. **This change in API behavior may impact API clients.** Check your code to make sure it will handle the new API behavior properly.\n\n### Patches\n\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n* v2.6.7\n* v2.5.16\n* v2.4.28\n\n### Workarounds\n\nThere are no workarounds besides upgrading.\n\n### Credits\n\nThank you to bean.zhang of HIT-IDS ChunkL Team who discovered the issue and reported it confidentially according to our [guidelines](https://github.com/argoproj/argo-cd/blob/master/SECURITY.md#reporting-a-vulnerability).\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n",
  "id": "GHSA-2q5c-qw9c-fmvq",
  "modified": "2023-03-27T22:11:08Z",
  "published": "2023-03-23T19:49:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2q5c-qw9c-fmvq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41354"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/3a28c8a18cc2aa84fe81492625545d25c7a90bc3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj/argo-cd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.4.28"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.5.16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.6.7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chunklhit/cve/blob/master/argo/argo-cd/application_enumeration.md"
    },
    {
      "type": "WEB",
      "url": "http://argo.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Argo CD authenticated but unauthorized users may enumerate Application names via the API"
}

GHSA-2WCP-PRMG-9PR7

Vulnerability from github – Published: 2022-04-30 18:17 – Updated: 2022-04-30 18:17
VLAI
Details

iptables-save in iptables before 1.2.4 records the "--reject-with icmp-host-prohibited" rule as "--reject-with tcp-reset," which causes iptables to generate different responses than specified by the administrator, possibly leading to an information leak.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2001-1387"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2001-11-05T05:00:00Z",
    "severity": "LOW"
  },
  "details": "iptables-save in iptables before 1.2.4 records the \"--reject-with icmp-host-prohibited\" rule as \"--reject-with tcp-reset,\" which causes iptables to generate different responses than specified by the administrator, possibly leading to an information leak.",
  "id": "GHSA-2wcp-prmg-9pr7",
  "modified": "2022-04-30T18:17:55Z",
  "published": "2022-04-30T18:17:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2001-1387"
    },
    {
      "type": "WEB",
      "url": "http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=50500"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2001-144.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2WFF-JJ2F-98C4

Vulnerability from github – Published: 2024-02-05 21:30 – Updated: 2024-02-05 21:30
VLAI
Details

A security vulnerability has been identified in the cryptlib cryptographic library when cryptlib is compiled with the support for RSA key exchange ciphersuites in TLS (by setting the USE_RSA_SUITES define), it will be vulnerable to the timing variant of the Bleichenbacher attack. An attacker that is able to perform a large number of connections to the server will be able to decrypt RSA ciphertexts or forge signatures using server's certificate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-05T21:15:11Z",
    "severity": "MODERATE"
  },
  "details": "A security vulnerability has been identified in the cryptlib cryptographic library when cryptlib is compiled with the support for RSA key exchange ciphersuites in TLS (by setting the USE_RSA_SUITES define), it will be vulnerable to the timing variant of the Bleichenbacher attack. An attacker that is able to perform a large number of connections to the server will be able to decrypt RSA ciphertexts or forge signatures using server\u0027s certificate.",
  "id": "GHSA-2wff-jj2f-98c4",
  "modified": "2024-02-05T21:30:31Z",
  "published": "2024-02-05T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0202"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256518"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2WP3-Q67H-9PPC

Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2021-12-18 00:01
VLAI
Details

In getNeighboringCellInfo of PhoneInterfaceManager.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-190619791

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0987"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T19:15:00Z",
    "severity": "LOW"
  },
  "details": "In getNeighboringCellInfo of PhoneInterfaceManager.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-190619791",
  "id": "GHSA-2wp3-q67h-9ppc",
  "modified": "2021-12-18T00:01:25Z",
  "published": "2021-12-16T00:01:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0987"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2X34-P5XR-4CQ8

Vulnerability from github – Published: 2025-12-03 12:30 – Updated: 2025-12-19 21:30
VLAI
Details

User enumeration in Nagvis' Checkmk MultisiteAuth before version 1.9.48 allows an unauthenticated attacker to enumerate Checkmk usernames.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39665"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-03T10:15:47Z",
    "severity": "MODERATE"
  },
  "details": "User enumeration in Nagvis\u0027 Checkmk MultisiteAuth before version 1.9.48 allows an unauthenticated attacker to enumerate Checkmk usernames.",
  "id": "GHSA-2x34-p5xr-4cq8",
  "modified": "2025-12-19T21:30:15Z",
  "published": "2025-12-03T12:30:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39665"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NagVis/nagvis/pull/411/commits/4acabcf9d5b2d26f390e760f59def8e163908d66"
    },
    {
      "type": "WEB",
      "url": "https://www.nagvis.org/downloads/changelog/1.9.48"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2X48-7H28-GFQR

Vulnerability from github – Published: 2025-01-22 00:33 – Updated: 2025-01-22 18:31
VLAI
Details

In multiple locations, there is a possible way to obtain any system permission due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43095"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T23:15:13Z",
    "severity": "HIGH"
  },
  "details": "In multiple locations, there is a possible way to obtain any system permission due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.",
  "id": "GHSA-2x48-7h28-gfqr",
  "modified": "2025-01-22T18:31:55Z",
  "published": "2025-01-22T00:33:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43095"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2025-01-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-325X-PHGW-F22W

Vulnerability from github – Published: 2021-12-16 00:00 – Updated: 2021-12-21 00:01
VLAI
Details

In checkExistsAndEnforceCannotModifyImmutablyRestrictedPermission of PermissionManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-186404356

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In checkExistsAndEnforceCannotModifyImmutablyRestrictedPermission of PermissionManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-186404356",
  "id": "GHSA-325x-phgw-f22w",
  "modified": "2021-12-21T00:01:13Z",
  "published": "2021-12-16T00:00:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1013"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-326F-JV9V-G2JJ

Vulnerability from github – Published: 2023-01-13 06:30 – Updated: 2023-01-23 21:30
VLAI
Details

NVIDIA BMC contains a vulnerability in IPMI handler, where an unauthorized attacker can use certain oracles to guess a valid BMC username, which may lead to an information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42288"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-13T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "NVIDIA BMC contains a vulnerability in IPMI handler, where an unauthorized attacker can use certain oracles to guess a valid BMC username, which may lead to an information disclosure.",
  "id": "GHSA-326f-jv9v-g2jj",
  "modified": "2023-01-23T21:30:26Z",
  "published": "2023-01-13T06:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42288"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5435"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-327J-HP5V-9289

Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2021-12-21 00:01
VLAI
Details

In setApplicationCategoryHint of PackageManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-189858128

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In setApplicationCategoryHint of PackageManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-189858128",
  "id": "GHSA-327j-hp5v-9289",
  "modified": "2021-12-21T00:01:17Z",
  "published": "2021-12-16T00:01:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1009"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering

An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.