CWE-203
AllowedObservable Discrepancy
Abstraction: Base · Status: Incomplete
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.
836 vulnerabilities reference this CWE, most recent first.
GHSA-466P-J3VQ-MWQ3
Vulnerability from github – Published: 2025-01-25 15:30 – Updated: 2025-01-25 15:30IBM Control Center 6.2.1 and 6.3.1
could allow a remote attacker to enumerate usernames due to an observable discrepancy between login attempts.
{
"affected": [],
"aliases": [
"CVE-2024-35114"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-25T14:15:29Z",
"severity": "MODERATE"
},
"details": "IBM Control Center 6.2.1 and 6.3.1 \n\n\n\n\n\ncould allow a remote attacker to enumerate usernames due to an observable discrepancy between login attempts.",
"id": "GHSA-466p-j3vq-mwq3",
"modified": "2025-01-25T15:30:31Z",
"published": "2025-01-25T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35114"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7174842"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4679-HXQ5-W394
Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02A timing attack in SVG rendering in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to extract pixel values from a cross-origin page being iframe'd via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2017-5107"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-27T05:29:00Z",
"severity": "MODERATE"
},
"details": "A timing attack in SVG rendering in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to extract pixel values from a cross-origin page being iframe\u0027d via a crafted HTML page.",
"id": "GHSA-4679-hxq5-w394",
"modified": "2022-05-13T01:02:39Z",
"published": "2022-05-13T01:02:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5107"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1833"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/686253"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201709-15"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3926"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99950"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-478Q-3PJ2-84WM
Vulnerability from github – Published: 2022-06-25 00:01 – Updated: 2022-07-02 00:00A user enumeration vulnerability in MELAG FTP Server 2.2.0.4 allows an attacker to identify valid FTP usernames.
{
"affected": [],
"aliases": [
"CVE-2021-41634"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-24T12:15:00Z",
"severity": "MODERATE"
},
"details": "A user enumeration vulnerability in MELAG FTP Server 2.2.0.4 allows an attacker to identify valid FTP usernames.",
"id": "GHSA-478q-3pj2-84wm",
"modified": "2022-07-02T00:00:23Z",
"published": "2022-06-25T00:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41634"
},
{
"type": "WEB",
"url": "https://www.securesystems.de/blog/advisory-and-exploitation-the-melag-ftp-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-48JW-3344-G954
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2022-05-24 16:54In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times.
{
"affected": [],
"aliases": [
"CVE-2019-13599"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-21T19:15:00Z",
"severity": "MODERATE"
},
"details": "In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times.",
"id": "GHSA-48jw-3344-g954",
"modified": "2022-05-24T16:54:22Z",
"published": "2022-05-24T16:54:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13599"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/154164/CentOS-Control-Web-Panel-CWP-0.9.8.848-User-Enumeration.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/154164/CentOS-WebPanel.com-CentOS-Control-Web-Panel-CWP-0.9.8.848-User-Enumeration.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/154164/CentOS-WebPanel.com-Control-Web-Panel-CWP-0.9.8.848-User-Enumeration.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4FQ5-58J6-9QPH
Vulnerability from github – Published: 2023-07-10 18:30 – Updated: 2026-06-01 15:30Observable Response Discrepancy in the SICK ICR890-4 could allow a remote attacker to identify valid usernames for the FTP server from the response given during a failed login attempt.
{
"affected": [],
"aliases": [
"CVE-2023-35698"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-10T16:15:52Z",
"severity": "MODERATE"
},
"details": "Observable Response Discrepancy in the SICK ICR890-4 could allow a remote attacker to identify valid usernames for the FTP server from the response given during a failed login\nattempt.",
"id": "GHSA-4fq5-58j6-9qph",
"modified": "2026-06-01T15:30:31Z",
"published": "2023-07-10T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35698"
},
{
"type": "WEB",
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.json"
},
{
"type": "WEB",
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.pdf"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4GRF-X53V-R95X
Vulnerability from github – Published: 2024-05-03 18:30 – Updated: 2024-05-03 18:30IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 could allow a remote user to enumerate usernames due to differentiating error messages on existing usernames. IBM X-Force ID: 199181.
{
"affected": [],
"aliases": [
"CVE-2021-20556"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T18:15:07Z",
"severity": "MODERATE"
},
"details": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 could allow a remote user to enumerate usernames due to differentiating error messages on existing usernames. IBM X-Force ID: 199181.",
"id": "GHSA-4grf-x53v-r95x",
"modified": "2024-05-03T18:30:37Z",
"published": "2024-05-03T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20556"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/199181"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7149876"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4H56-XMQ8-7HC9
Vulnerability from github – Published: 2026-02-08 00:30 – Updated: 2026-02-11 00:30WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users.
{
"affected": [],
"aliases": [
"CVE-2026-25562"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-07T22:16:01Z",
"severity": "MODERATE"
},
"details": "WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users.",
"id": "GHSA-4h56-xmq8-7hc9",
"modified": "2026-02-11T00:30:14Z",
"published": "2026-02-08T00:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25562"
},
{
"type": "WEB",
"url": "https://github.com/wekan/wekan/commit/6dfa3beb2b6ab23438d0f4395b84bf0749eb4820"
},
{
"type": "WEB",
"url": "https://wekan.fi"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/wekan-attachments-publication-information-disclosure"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4H9J-8G4Q-FCFQ
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-12-26 03:30An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed.
{
"affected": [],
"aliases": [
"CVE-2020-36421"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-19T17:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed.",
"id": "GHSA-4h9j-8g4q-fcfq",
"modified": "2022-12-26T03:30:21Z",
"published": "2022-05-24T19:08:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36421"
},
{
"type": "WEB",
"url": "https://github.com/ARMmbed/mbedtls/issues/3394"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/730752"
},
{
"type": "WEB",
"url": "https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.7"
},
{
"type": "WEB",
"url": "https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4JV6-884H-V282
Vulnerability from github – Published: 2024-10-29 15:32 – Updated: 2025-11-04 00:31Video frames could have been leaked between origins in some situations. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132.
{
"affected": [],
"aliases": [
"CVE-2024-10463"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-29T13:15:04Z",
"severity": "HIGH"
},
"details": "Video frames could have been leaked between origins in some situations. This vulnerability affects Firefox \u003c 132, Firefox ESR \u003c 128.4, Firefox ESR \u003c 115.17, Thunderbird \u003c 128.4, and Thunderbird \u003c 132.",
"id": "GHSA-4jv6-884h-v282",
"modified": "2025-11-04T00:31:53Z",
"published": "2024-10-29T15:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10463"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1920800"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00034.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00001.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-55"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-56"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-57"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-58"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-59"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4JXH-JRGP-4422
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-04-29 21:31In the Linux kernel, the following vulnerability has been resolved:
x86/fpu: Invalidate FPU state after a failed XRSTOR from a user buffer
Both Intel and AMD consider it to be architecturally valid for XRSTOR to fail with #PF but nonetheless change the register state. The actual conditions under which this might occur are unclear [1], but it seems plausible that this might be triggered if one sibling thread unmaps a page and invalidates the shared TLB while another sibling thread is executing XRSTOR on the page in question.
__fpu__restore_sig() can execute XRSTOR while the hardware registers are preserved on behalf of a different victim task (using the fpu_fpregs_owner_ctx mechanism), and, in theory, XRSTOR could fail but modify the registers.
If this happens, then there is a window in which __fpu__restore_sig() could schedule out and the victim task could schedule back in without reloading its own FPU registers. This would result in part of the FPU state that __fpu__restore_sig() was attempting to load leaking into the victim task's user-visible state.
Invalidate preserved FPU registers on XRSTOR failure to prevent this situation from corrupting any state.
[1] Frequent readers of the errata lists might imagine "complex microarchitectural conditions".
{
"affected": [],
"aliases": [
"CVE-2021-47226"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:11Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Invalidate FPU state after a failed XRSTOR from a user buffer\n\nBoth Intel and AMD consider it to be architecturally valid for XRSTOR to\nfail with #PF but nonetheless change the register state. The actual\nconditions under which this might occur are unclear [1], but it seems\nplausible that this might be triggered if one sibling thread unmaps a page\nand invalidates the shared TLB while another sibling thread is executing\nXRSTOR on the page in question.\n\n__fpu__restore_sig() can execute XRSTOR while the hardware registers\nare preserved on behalf of a different victim task (using the\nfpu_fpregs_owner_ctx mechanism), and, in theory, XRSTOR could fail but\nmodify the registers.\n\nIf this happens, then there is a window in which __fpu__restore_sig()\ncould schedule out and the victim task could schedule back in without\nreloading its own FPU registers. This would result in part of the FPU\nstate that __fpu__restore_sig() was attempting to load leaking into the\nvictim task\u0027s user-visible state.\n\nInvalidate preserved FPU registers on XRSTOR failure to prevent this\nsituation from corrupting any state.\n\n[1] Frequent readers of the errata lists might imagine \"complex\n microarchitectural conditions\".",
"id": "GHSA-4jxh-jrgp-4422",
"modified": "2025-04-29T21:31:32Z",
"published": "2024-05-21T15:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47226"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/002665dcba4bbec8c82f0aeb4bd3f44334ed2c14"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a7748e021b9fb7739e3cb88449296539de0b6817"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d8778e393afa421f1f117471144f8ce6deb6953a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering
An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.