Common Weakness Enumeration

CWE-203

Allowed

Observable Discrepancy

Abstraction: Base · Status: Incomplete

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

836 vulnerabilities reference this CWE, most recent first.

GHSA-92VW-GR5G-P72G

Vulnerability from github – Published: 2024-12-26 12:30 – Updated: 2024-12-26 12:30
VLAI
Details

Some Honor products are affected by information leak vulnerability, successful exploitation could cause the information leak.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47155"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-26T12:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Some Honor products are affected by information leak vulnerability, successful exploitation could cause the information leak.",
  "id": "GHSA-92vw-gr5g-p72g",
  "modified": "2024-12-26T12:30:45Z",
  "published": "2024-12-26T12:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47155"
    },
    {
      "type": "WEB",
      "url": "https://www.honor.com/global/security/cve-2024-47155"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-93CV-HRV4-P8Q4

Vulnerability from github – Published: 2024-06-15 15:30 – Updated: 2024-06-15 15:30
VLAI
Details

IBM Db2 for i 7.2, 7.3, 7.4, and 7.5 supplies user defined table function is vulnerable to user enumeration by a local authenticated attacker, without having authority to the related *USRPRF objects. This can be used by a malicious actor to gather information about users that can be targeted in further attacks. IBM X-Force ID: 287174.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31870"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-15T14:15:09Z",
    "severity": "LOW"
  },
  "details": "IBM Db2 for i 7.2, 7.3, 7.4, and 7.5 supplies user defined table function is vulnerable to user enumeration by a local authenticated attacker, without having authority to the related *USRPRF objects.  This can be used by a malicious actor to gather information about users that can be targeted in further attacks.  IBM X-Force ID:  287174.",
  "id": "GHSA-93cv-hrv4-p8q4",
  "modified": "2024-06-15T15:30:27Z",
  "published": "2024-06-15T15:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31870"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/287174"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7157638"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-944J-8CH6-RF6X

Vulnerability from github – Published: 2024-02-05 21:30 – Updated: 2026-02-27 20:57
VLAI
Summary
m2crypto Bleichenbacher timing attack - incomplete fix for CVE-2020-25657
Details

A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "m2crypto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.40.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-50781"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208",
      "CWE-385"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-05T22:41:57Z",
    "nvd_published_at": "2024-02-05T21:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.",
  "id": "GHSA-944j-8ch6-rf6x",
  "modified": "2026-02-27T20:57:08Z",
  "published": "2024-02-05T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50781"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-50781"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254426"
    },
    {
      "type": "PACKAGE",
      "url": "https://gitlab.com/m2crypto/m2crypto"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/m2crypto/m2crypto/-/issues/342"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "m2crypto Bleichenbacher timing attack - incomplete fix for CVE-2020-25657"
}

GHSA-94GG-72CX-MG6F

Vulnerability from github – Published: 2024-11-01 18:31 – Updated: 2024-11-05 00:31
VLAI
Details

An issue in Sourcebans++ before v.1.8.0 allows a remote attacker to obtain sensitive information via a crafted XAJAX call to the Forgot Password function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40490"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-01T16:15:08Z",
    "severity": "HIGH"
  },
  "details": "An issue in Sourcebans++ before v.1.8.0 allows a remote attacker to obtain sensitive information via a crafted XAJAX call to the Forgot Password function.",
  "id": "GHSA-94gg-72cx-mg6f",
  "modified": "2024-11-05T00:31:27Z",
  "published": "2024-11-01T18:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40490"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sbpp/sourcebans-pp/issues/975"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-94HH-PJJG-RWMR

Vulnerability from github – Published: 2021-04-19 14:58 – Updated: 2023-03-17 17:49
VLAI
Summary
Padding Oracle Attack due to Observable Timing Discrepancy in jose-browser-runtime
Details

Impact

AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block).

Patches

A patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are >=3.11.4.

Users should upgrade to ^3.11.4.

Credits

Thanks to Morgan Brown of Microsoft for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jose-browser-runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.11.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29444"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-16T23:00:49Z",
    "nvd_published_at": "2021-04-16T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n[AES_CBC_HMAC_SHA2 Algorithm](https://tools.ietf.org/html/rfc7518#section-5.2) (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block).\n\n### Patches\n\nA patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `\u003e=3.11.4`.\n\nUsers should upgrade to `^3.11.4`.\n\n### Credits\nThanks to Morgan Brown of Microsoft for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory.",
  "id": "GHSA-94hh-pjjg-rwmr",
  "modified": "2023-03-17T17:49:50Z",
  "published": "2021-04-19T14:58:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/panva/jose/security/advisories/GHSA-94hh-pjjg-rwmr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29444"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/panva/jose"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/jose-browser-runtime"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Padding Oracle Attack due to Observable Timing Discrepancy in jose-browser-runtime"
}

GHSA-94RR-MJ9R-877F

Vulnerability from github – Published: 2023-05-31 00:31 – Updated: 2024-04-04 04:24
VLAI
Details

Macrovideo v380pro v1.4.97 shares the device id and password when sharing the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33741"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-30T22:15:10Z",
    "severity": "HIGH"
  },
  "details": "Macrovideo v380pro v1.4.97 shares the device id and password when sharing the device.",
  "id": "GHSA-94rr-mj9r-877f",
  "modified": "2024-04-04T04:24:08Z",
  "published": "2023-05-31T00:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33741"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zzh-newlearner/record/blob/main/macrovideo_share.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-957C-5X9M-M7RV

Vulnerability from github – Published: 2022-05-13 01:41 – Updated: 2025-04-20 03:49
VLAI
Details

The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000385"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-12T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server\u0027s private key (this is a variation of the Bleichenbacher attack).",
  "id": "GHSA-957c-5x9m-m7rv",
  "modified": "2025-04-20T03:49:49Z",
  "published": "2022-05-13T01:41:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000385"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0242"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0303"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0368"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0528"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "https://robotattack.org"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3571-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-4057"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/144389"
    },
    {
      "type": "WEB",
      "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094255.html"
    },
    {
      "type": "WEB",
      "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094256.html"
    },
    {
      "type": "WEB",
      "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094257.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102197"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-95CP-MQGP-V35F

Vulnerability from github – Published: 2025-09-24 18:30 – Updated: 2025-09-24 18:30
VLAI
Details

Side-channel information leakage in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1300",
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-24T17:15:39Z",
    "severity": "CRITICAL"
  },
  "details": "Side-channel information leakage in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-95cp-mqgp-v35f",
  "modified": "2025-09-24T18:30:31Z",
  "published": "2025-09-24T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10890"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_23.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/430336833"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-96G2-7CQX-5GGH

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2025-12-18 15:30
VLAI
Details

The client side in OpenSSH 5.7 through 8.3 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-14145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-29T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The client side in OpenSSH 5.7 through 8.3 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).",
  "id": "GHSA-96g2-7cqx-5ggh",
  "modified": "2025-12-18T15:30:24Z",
  "published": "2022-05-24T17:22:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14145"
    },
    {
      "type": "WEB",
      "url": "https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d"
    },
    {
      "type": "WEB",
      "url": "https://docs.ssh-mitm.at/CVE-2020-14145.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssh/openssh-portable/compare/V_8_3_P1...V_8_4_P1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ssh-mitm/ssh-mitm/blob/master/ssh_proxy_server/plugins/session/cve202014145.py"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202105-35"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200709-0004"
    },
    {
      "type": "WEB",
      "url": "https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/12/02/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-96Q7-C2W2-93P8

Vulnerability from github – Published: 2022-08-11 00:00 – Updated: 2022-08-16 00:00
VLAI
Details

A vulnerability in the handling of RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve an RSA private key. This vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device. A successful exploit could allow the attacker to retrieve the RSA private key. The following conditions may be observed on an affected device: This vulnerability will apply to approximately 5 percent of the RSA keys on a device that is running a vulnerable release of Cisco ASA Software or Cisco FTD Software; not all RSA keys are expected to be affected due to mathematical calculations applied to the RSA key. The RSA key could be valid but have specific characteristics that make it vulnerable to the potential leak of the RSA private key. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic. See the Indicators of Compromise section for more information on the detection of this type of RSA key. The RSA key could be malformed and invalid. A malformed RSA key is not functional, and a TLS client connection to a device that is running Cisco ASA Software or Cisco FTD Software that uses the malformed RSA key will result in a TLS signature failure, which means a vulnerable software release created an invalid RSA signature that failed verification. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-10T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the handling of RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve an RSA private key. This vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device. A successful exploit could allow the attacker to retrieve the RSA private key. The following conditions may be observed on an affected device: This vulnerability will apply to approximately 5 percent of the RSA keys on a device that is running a vulnerable release of Cisco ASA Software or Cisco FTD Software; not all RSA keys are expected to be affected due to mathematical calculations applied to the RSA key. The RSA key could be valid but have specific characteristics that make it vulnerable to the potential leak of the RSA private key. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic. See the Indicators of Compromise section for more information on the detection of this type of RSA key. The RSA key could be malformed and invalid. A malformed RSA key is not functional, and a TLS client connection to a device that is running Cisco ASA Software or Cisco FTD Software that uses the malformed RSA key will result in a TLS signature failure, which means a vulnerable software release created an invalid RSA signature that failed verification. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic.",
  "id": "GHSA-96q7-c2w2-93p8",
  "modified": "2022-08-16T00:00:24Z",
  "published": "2022-08-11T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20866"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rsa-key-leak-Ms7UEfZz"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering

An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.