Common Weakness Enumeration

CWE-203

Allowed

Observable Discrepancy

Abstraction: Base · Status: Incomplete

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

836 vulnerabilities reference this CWE, most recent first.

GHSA-466P-J3VQ-MWQ3

Vulnerability from github – Published: 2025-01-25 15:30 – Updated: 2025-01-25 15:30
VLAI
Details

IBM Control Center 6.2.1 and 6.3.1

could allow a remote attacker to enumerate usernames due to an observable discrepancy between login attempts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-25T14:15:29Z",
    "severity": "MODERATE"
  },
  "details": "IBM Control Center 6.2.1 and 6.3.1 \n\n\n\n\n\ncould allow a remote attacker to enumerate usernames due to an observable discrepancy between login attempts.",
  "id": "GHSA-466p-j3vq-mwq3",
  "modified": "2025-01-25T15:30:31Z",
  "published": "2025-01-25T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35114"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7174842"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4679-HXQ5-W394

Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02
VLAI
Details

A timing attack in SVG rendering in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to extract pixel values from a cross-origin page being iframe'd via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5107"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-27T05:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A timing attack in SVG rendering in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to extract pixel values from a cross-origin page being iframe\u0027d via a crafted HTML page.",
  "id": "GHSA-4679-hxq5-w394",
  "modified": "2022-05-13T01:02:39Z",
  "published": "2022-05-13T01:02:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5107"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1833"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/686253"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201709-15"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3926"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99950"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-478Q-3PJ2-84WM

Vulnerability from github – Published: 2022-06-25 00:01 – Updated: 2022-07-02 00:00
VLAI
Details

A user enumeration vulnerability in MELAG FTP Server 2.2.0.4 allows an attacker to identify valid FTP usernames.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41634"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-24T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A user enumeration vulnerability in MELAG FTP Server 2.2.0.4 allows an attacker to identify valid FTP usernames.",
  "id": "GHSA-478q-3pj2-84wm",
  "modified": "2022-07-02T00:00:23Z",
  "published": "2022-06-25T00:01:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41634"
    },
    {
      "type": "WEB",
      "url": "https://www.securesystems.de/blog/advisory-and-exploitation-the-melag-ftp-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-48JW-3344-G954

Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2022-05-24 16:54
VLAI
Details

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-21T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times.",
  "id": "GHSA-48jw-3344-g954",
  "modified": "2022-05-24T16:54:22Z",
  "published": "2022-05-24T16:54:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13599"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/154164/CentOS-Control-Web-Panel-CWP-0.9.8.848-User-Enumeration.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/154164/CentOS-WebPanel.com-CentOS-Control-Web-Panel-CWP-0.9.8.848-User-Enumeration.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/154164/CentOS-WebPanel.com-Control-Web-Panel-CWP-0.9.8.848-User-Enumeration.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4FQ5-58J6-9QPH

Vulnerability from github – Published: 2023-07-10 18:30 – Updated: 2026-06-01 15:30
VLAI
Details

Observable Response Discrepancy in the SICK ICR890-4 could allow a remote attacker to identify valid usernames for the FTP server from the response given during a failed login attempt.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35698"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-10T16:15:52Z",
    "severity": "MODERATE"
  },
  "details": "Observable Response Discrepancy in the SICK ICR890-4 could allow a remote attacker to identify valid usernames for the FTP server from the response given during a failed login\nattempt.",
  "id": "GHSA-4fq5-58j6-9qph",
  "modified": "2026-06-01T15:30:31Z",
  "published": "2023-07-10T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35698"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.json"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.pdf"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4GRF-X53V-R95X

Vulnerability from github – Published: 2024-05-03 18:30 – Updated: 2024-05-03 18:30
VLAI
Details

IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 could allow a remote user to enumerate usernames due to differentiating error messages on existing usernames. IBM X-Force ID: 199181.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20556"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T18:15:07Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 could allow a remote user to enumerate usernames due to differentiating error messages on existing usernames.  IBM X-Force ID:  199181.",
  "id": "GHSA-4grf-x53v-r95x",
  "modified": "2024-05-03T18:30:37Z",
  "published": "2024-05-03T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20556"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/199181"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7149876"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4H56-XMQ8-7HC9

Vulnerability from github – Published: 2026-02-08 00:30 – Updated: 2026-02-11 00:30
VLAI
Details

WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25562"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-07T22:16:01Z",
    "severity": "MODERATE"
  },
  "details": "WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users.",
  "id": "GHSA-4h56-xmq8-7hc9",
  "modified": "2026-02-11T00:30:14Z",
  "published": "2026-02-08T00:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25562"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wekan/wekan/commit/6dfa3beb2b6ab23438d0f4395b84bf0749eb4820"
    },
    {
      "type": "WEB",
      "url": "https://wekan.fi"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/wekan-attachments-publication-information-disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4H9J-8G4Q-FCFQ

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-12-26 03:30
VLAI
Details

An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36421"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-19T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed.",
  "id": "GHSA-4h9j-8g4q-fcfq",
  "modified": "2022-12-26T03:30:21Z",
  "published": "2022-05-24T19:08:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36421"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ARMmbed/mbedtls/issues/3394"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gentoo.org/730752"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4JV6-884H-V282

Vulnerability from github – Published: 2024-10-29 15:32 – Updated: 2025-11-04 00:31
VLAI
Details

Video frames could have been leaked between origins in some situations. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10463"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-29T13:15:04Z",
    "severity": "HIGH"
  },
  "details": "Video frames could have been leaked between origins in some situations. This vulnerability affects Firefox \u003c 132, Firefox ESR \u003c 128.4, Firefox ESR \u003c 115.17, Thunderbird \u003c 128.4, and Thunderbird \u003c 132.",
  "id": "GHSA-4jv6-884h-v282",
  "modified": "2025-11-04T00:31:53Z",
  "published": "2024-10-29T15:32:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10463"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1920800"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-55"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-56"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-57"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-58"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-59"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4JXH-JRGP-4422

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-04-29 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

x86/fpu: Invalidate FPU state after a failed XRSTOR from a user buffer

Both Intel and AMD consider it to be architecturally valid for XRSTOR to fail with #PF but nonetheless change the register state. The actual conditions under which this might occur are unclear [1], but it seems plausible that this might be triggered if one sibling thread unmaps a page and invalidates the shared TLB while another sibling thread is executing XRSTOR on the page in question.

__fpu__restore_sig() can execute XRSTOR while the hardware registers are preserved on behalf of a different victim task (using the fpu_fpregs_owner_ctx mechanism), and, in theory, XRSTOR could fail but modify the registers.

If this happens, then there is a window in which __fpu__restore_sig() could schedule out and the victim task could schedule back in without reloading its own FPU registers. This would result in part of the FPU state that __fpu__restore_sig() was attempting to load leaking into the victim task's user-visible state.

Invalidate preserved FPU registers on XRSTOR failure to prevent this situation from corrupting any state.

[1] Frequent readers of the errata lists might imagine "complex microarchitectural conditions".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47226"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:11Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Invalidate FPU state after a failed XRSTOR from a user buffer\n\nBoth Intel and AMD consider it to be architecturally valid for XRSTOR to\nfail with #PF but nonetheless change the register state.  The actual\nconditions under which this might occur are unclear [1], but it seems\nplausible that this might be triggered if one sibling thread unmaps a page\nand invalidates the shared TLB while another sibling thread is executing\nXRSTOR on the page in question.\n\n__fpu__restore_sig() can execute XRSTOR while the hardware registers\nare preserved on behalf of a different victim task (using the\nfpu_fpregs_owner_ctx mechanism), and, in theory, XRSTOR could fail but\nmodify the registers.\n\nIf this happens, then there is a window in which __fpu__restore_sig()\ncould schedule out and the victim task could schedule back in without\nreloading its own FPU registers. This would result in part of the FPU\nstate that __fpu__restore_sig() was attempting to load leaking into the\nvictim task\u0027s user-visible state.\n\nInvalidate preserved FPU registers on XRSTOR failure to prevent this\nsituation from corrupting any state.\n\n[1] Frequent readers of the errata lists might imagine \"complex\n    microarchitectural conditions\".",
  "id": "GHSA-4jxh-jrgp-4422",
  "modified": "2025-04-29T21:31:32Z",
  "published": "2024-05-21T15:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47226"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/002665dcba4bbec8c82f0aeb4bd3f44334ed2c14"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a7748e021b9fb7739e3cb88449296539de0b6817"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d8778e393afa421f1f117471144f8ce6deb6953a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering

An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.