CWE-204
AllowedObservable Response Discrepancy
Abstraction: Base · Status: Incomplete
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
297 vulnerabilities reference this CWE, most recent first.
CVE-2023-35698 (GCVE-0-2023-35698)
Vulnerability from cvelistv5 – Published: 2023-07-10 09:37 – Updated: 2026-06-01 12:11- CWE-204 - Observable Response Discrepancy
| URL | Tags |
|---|---|
| https://sick.com/psirt | issue-tracking |
| https://sick.com/.well-known/csaf/white/2023/sca-… | vendor-advisory |
| https://sick.com/.well-known/csaf/white/2023/sca-… | x_csaf |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:44.401Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://sick.com/psirt"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.pdf"
},
{
"tags": [
"x_csaf",
"x_transferred"
],
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.json"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35698",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T19:50:35.574284Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T19:51:56.241Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "ICR890-4",
"vendor": "SICK AG",
"versions": [
{
"lessThan": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "*"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Observable Response Discrepancy in the SICK ICR890-4 could allow a remote attacker to identify valid usernames for the FTP server from the response given during a failed login\nattempt."
}
],
"value": "Observable Response Discrepancy in the SICK ICR890-4 could allow a remote attacker to identify valid usernames for the FTP server from the response given during a failed login\nattempt."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204 Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T12:11:21.524Z",
"orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
"shortName": "SICK AG"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://sick.com/psirt"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.pdf"
},
{
"tags": [
"x_csaf"
],
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The recommended solution is to update the firmware to a version \u0026gt;= V2.5.0 as soon as\npossible.\n\n\u003cbr\u003e"
}
],
"value": "The recommended solution is to update the firmware to a version \u003e= V2.5.0 as soon as\npossible."
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
"assignerShortName": "SICK AG",
"cveId": "CVE-2023-35698",
"datePublished": "2023-07-10T09:37:22.798Z",
"dateReserved": "2023-06-15T11:32:19.767Z",
"dateUpdated": "2026-06-01T12:11:21.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-33859 (GCVE-0-2023-33859)
Vulnerability from cvelistv5 – Published: 2024-07-10 15:26 – Updated: 2024-08-02 15:54- CWE-204 - Response Discrepancy Information Exposure
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7159770 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Security QRadar EDR |
Affected:
3.12
cpe:2.3:a:ibm:security_qradar_edr:3.12:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33859",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-10T16:06:57.712047Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T16:07:16.808Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:12.616Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7159770"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/257697"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:security_qradar_edr:3.12:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Security QRadar EDR",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "3.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Security QRadar EDR 3.12 could disclose sensitive information due to an observable login response discrepancy. IBM X-Force ID: 257697."
}
],
"value": "IBM Security QRadar EDR 3.12 could disclose sensitive information due to an observable login response discrepancy. IBM X-Force ID: 257697."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204 Response Discrepancy Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-14T18:56:02.125Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7159770"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/257697"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Security ReaQta information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-33859",
"datePublished": "2024-07-10T15:26:49.293Z",
"dateReserved": "2023-05-23T00:32:05.086Z",
"dateUpdated": "2024-08-02T15:54:12.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32346 (GCVE-0-2023-32346)
Vulnerability from cvelistv5 – Published: 2023-05-22 14:45 – Updated: 2025-01-16 21:35- CWE-204 - Observable Response Discrepancy
| URL | Tags |
|---|---|
| https://www.cisa.gov/news-events/ics-advisories/i… | government-resource |
| Vendor | Product | Version | |
|---|---|---|---|
| Teltonika | Remote Management System |
Affected:
0 , < 4.10.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:24.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"government-resource",
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32346",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T20:55:52.356937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T21:35:08.144Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Remote Management System",
"vendor": "Teltonika",
"versions": [
{
"lessThan": "4.10.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Noam Moshe"
},
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Claroty"
}
],
"datePublic": "2023-05-11T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eTeltonika\u2019s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices. This function returns information based on whether the serial number of a device has already been claimed, the MAC address of a device has already been claimed, or whether the attempt to claim a device was successful. An attacker could exploit this to create a list of the serial numbers and MAC addresses of all devices cloud-connected to the Remote Management System.\u003c/span\u003e\n\n"
}
],
"value": "\nTeltonika\u2019s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices. This function returns information based on whether the serial number of a device has already been claimed, the MAC address of a device has already been claimed, or whether the attempt to claim a device was successful. An attacker could exploit this to create a list of the serial numbers and MAC addresses of all devices cloud-connected to the Remote Management System.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204 Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-22T14:45:46.985Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-32346",
"datePublished": "2023-05-22T14:45:46.985Z",
"dateReserved": "2023-05-08T22:09:33.449Z",
"dateUpdated": "2025-01-16T21:35:08.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31186 (GCVE-0-2023-31186)
Vulnerability from cvelistv5 – Published: 2023-05-30 00:00 – Updated: 2025-01-10 21:17- CWE-204 - Response Discrepancy Information Exposure
| Vendor | Product | Version | |
|---|---|---|---|
| Avaya | IX Workforce Engagement |
Affected:
Update to the latest version , < v15.2.7.1195*
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:26.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31186",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T21:17:25.150415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T21:17:38.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "IX Workforce Engagement",
"vendor": "Avaya",
"versions": [
{
"lessThan": "v15.2.7.1195*",
"status": "affected",
"version": "Update to the latest version",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Dudu Moyal, Gad Abuhatziera, Moriel Harush"
}
],
"datePublic": "2023-05-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Avaya IX Workforce Engagement v15.2.7.1195 - User Enumeration - Observable Response Discrepancy"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204 Response Discrepancy Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-30T00:00:00.000Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"source": {
"advisory": "ILVN-2023-0103",
"discovery": "UNKNOWN"
},
"title": "Avaya IX Workforce Engagement - User Enumeration - CWE-204: Observable Response Discrepancy",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2023-31186",
"datePublished": "2023-05-30T00:00:00.000Z",
"dateReserved": "2023-04-24T00:00:00.000Z",
"dateUpdated": "2025-01-10T21:17:38.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28412 (GCVE-0-2023-28412)
Vulnerability from cvelistv5 – Published: 2023-05-22 19:24 – Updated: 2025-01-16 21:33- CWE-204 - Observable Response Discrepancy
| Vendor | Product | Version | |
|---|---|---|---|
| Snap One | OvrC Cloud |
Affected:
0 , < 7.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:38:25.285Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-r.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28412",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T20:55:42.498843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T21:33:55.805Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OvrC Cloud",
"vendor": "Snap One",
"versions": [
{
"lessThan": "7.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Uri Katz of Claroty reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003eWhen supplied with a random MAC address, Snap One OvrC cloud servers will return information about the device. The MAC address of devices can be enumerated in an attack and the OvrC cloud will disclose their information.\u003c/p\u003e\u003cbr\u003e\n\n\u003cbr\u003e\n\n\u003cbr\u003e\n\n\u003cp\u003e\u003c/p\u003e"
}
],
"value": "\n\n\n\n\n\n\n\n\nWhen supplied with a random MAC address, Snap One OvrC cloud servers will return information about the device. The MAC address of devices can be enumerated in an attack and the OvrC cloud will disclose their information.\n\n\n\n\n\n\n\n\n\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204 Observable Response Discrepancy ",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-22T19:24:06.082Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01"
},
{
"url": "https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-r.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eSnap One has released the following updates/fixes for the affected products:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOvrC Pro v7.2 has been automatically pushed out to devices to update via OvrC cloud.\u003c/li\u003e\u003cli\u003eOvrC Pro v7.3 has been automatically pushed out to devices to update via OvrC cloud.\u003c/li\u003e\u003cli\u003eDisable UPnP.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor more information, see Snap One\u2019s \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-p.pdf\"\u003eRelease Notes\u003c/a\u003e.\u003c/p\u003e\n\n"
}
],
"value": "\nSnap One has released the following updates/fixes for the affected products:\n\n * OvrC Pro v7.2 has been automatically pushed out to devices to update via OvrC cloud.\n * OvrC Pro v7.3 has been automatically pushed out to devices to update via OvrC cloud.\n * Disable UPnP.\n\n\nFor more information, see Snap One\u2019s Release Notes https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-p.pdf .\n\n\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-28412",
"datePublished": "2023-05-22T19:24:06.082Z",
"dateReserved": "2023-04-26T19:18:23.279Z",
"dateUpdated": "2025-01-16T21:33:55.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-27464 (GCVE-0-2023-27464)
Vulnerability from cvelistv5 – Published: 2023-04-11 09:03 – Updated: 2025-02-07 16:50- CWE-204 - Observable Response Discrepancy
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | Mendix Forgot Password (Mendix 7 compatible) |
Affected:
All versions < V3.7.1
|
|
| Siemens | Mendix Forgot Password (Mendix 8 compatible) |
Affected:
All versions < V4.1.1
|
|
| Siemens | Mendix Forgot Password (Mendix 9 compatible) |
Affected:
All versions < V5.1.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:09:43.472Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-699404.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27464",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T16:50:31.698147Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T16:50:42.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Mendix Forgot Password (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.7.1"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix Forgot Password (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V4.1.1"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix Forgot Password (Mendix 9 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V5.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix Forgot Password (Mendix 7 compatible) (All versions \u003c V3.7.1), Mendix Forgot Password (Mendix 8 compatible) (All versions \u003c V4.1.1), Mendix Forgot Password (Mendix 9 compatible) (All versions \u003c V5.1.1). The affected versions of the module contain an observable response discrepancy issue that could allow an attacker to retrieve sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-11T09:03:03.269Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-699404.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2023-27464",
"datePublished": "2023-04-11T09:03:03.269Z",
"dateReserved": "2023-03-01T17:29:31.289Z",
"dateUpdated": "2025-02-07T16:50:42.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-27283 (GCVE-0-2023-27283)
Vulnerability from cvelistv5 – Published: 2024-05-04 13:16 – Updated: 2024-08-02 12:09- CWE-204 - Response Discrepancy Information Exposure
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7150191 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Aspera Orchestrator |
Affected:
4.0.1
|
|
| ibm | aspera_orchestrator |
Affected:
4.0.1
cpe:2.3:a:ibm:aspera_orchestrator:4.0.1:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:aspera_orchestrator:4.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "aspera_orchestrator",
"vendor": "ibm",
"versions": [
{
"status": "affected",
"version": "4.0.1"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27283",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-06T18:05:27.300438Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:24:51.998Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:09:42.807Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7150191"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/248545"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aspera Orchestrator",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "4.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Aspera Orchestrator 4.0.1 could allow a remote attacker to enumerate usernames due to observable response discrepancies. IBM X-Force ID: 248545."
}
],
"value": "IBM Aspera Orchestrator 4.0.1 could allow a remote attacker to enumerate usernames due to observable response discrepancies. IBM X-Force ID: 248545."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204 Response Discrepancy Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-04T13:20:41.326Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7150191"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/248545"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Aspera Orchestrator information disclosure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-27283",
"datePublished": "2024-05-04T13:16:14.314Z",
"dateReserved": "2023-02-27T17:47:22.586Z",
"dateUpdated": "2024-08-02T12:09:42.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23584 (GCVE-0-2023-23584)
Vulnerability from cvelistv5 – Published: 2023-12-18 21:59 – Updated: 2024-08-02 10:35- CWE-204 - Observable Response Discrepancy
| Vendor | Product | Version | |
|---|---|---|---|
| Gallagher | Command Centre Server |
Affected:
0 , ≤ 8.50
(custom)
Affected: 8.70 , < 8.70.1787 (MR2) (custom) Affected: 8.60 , < 8.60.2039 (MR4) (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.268Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.gallagher.com/Security-Advisories/CVE-2023-23584"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Command Centre Server",
"vendor": "Gallagher",
"versions": [
{
"lessThanOrEqual": "8.50",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.70.1787 (MR2)",
"status": "affected",
"version": "8.70",
"versionType": "custom"
},
{
"lessThan": "8.60.2039 (MR4)",
"status": "affected",
"version": "8.60",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn observable response discrepancy in the Gallagher Command Centre RESTAPI allows an insufficiently-privileged user to infer the presence of items that would not otherwise be viewable. \u003cbr\u003e\u003cbr\u003eThis issue affects: Gallagher Command Centre \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e8.70 prior to vEL8.70.1787 (MR2), 8.60 prior to vEL8.60.2039 (MR4), all version of 8.50 and prior.\u003c/span\u003e\n\n"
}
],
"value": "\nAn observable response discrepancy in the Gallagher Command Centre RESTAPI allows an insufficiently-privileged user to infer the presence of items that would not otherwise be viewable. \n\nThis issue affects: Gallagher Command Centre 8.70 prior to vEL8.70.1787 (MR2), 8.60 prior to vEL8.60.2039 (MR4), all version of 8.50 and prior.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-18T21:59:58.271Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/Security-Advisories/CVE-2023-23584"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2023-23584",
"datePublished": "2023-12-18T21:59:58.271Z",
"dateReserved": "2023-02-03T20:38:05.261Z",
"dateUpdated": "2024-08-02T10:35:33.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23449 (GCVE-0-2023-23449)
Vulnerability from cvelistv5 – Published: 2023-05-15 10:54 – Updated: 2026-06-01 12:21- CWE-204 - Observable Response Discrepancy
| URL | Tags |
|---|---|
| https://sick.com/psirt | issue-tracking |
| https://sick.com/.well-known/csaf/white/2023/sca-… | vendor-advisory |
| https://sick.com/.well-known/csaf/white/2023/sca-… | x_csaf |
| Vendor | Product | Version | |
|---|---|---|---|
| SICK AG | SICK FTMG-ESD15AXX AIR FLOW SENSOR |
Affected:
all firmware versions
|
|
| SICK AG | SICK FTMG-ESD20AXX AIR FLOW SENSOR |
Affected:
all firmware versions
|
|
| SICK AG | SICK FTMG-ESD25AXX AIR FLOW SENSOR |
Affected:
all firmware versions
|
|
| SICK AG | SICK FTMG-ESN40SXX AIR FLOW SENSOR |
Affected:
all firmware versions
|
|
| SICK AG | SICK FTMG-ESN50SXX AIR FLOW SENSOR |
Affected:
all firmware versions
|
|
| SICK AG | SICK FTMG-ESR40SXX AIR FLOW SENSOR |
Affected:
all firmware versions
|
|
| SICK AG | SICK FTMG-ESR50SXX AIR FLOW SENSOR |
Affected:
all firmware versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:28:41.070Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://sick.com/psirt"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0004.pdf"
},
{
"tags": [
"x_csaf",
"x_transferred"
],
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0004.json"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23449",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T19:13:50.768926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T19:13:54.619Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "SICK FTMG-ESD15AXX AIR FLOW SENSOR",
"vendor": "SICK AG",
"versions": [
{
"status": "affected",
"version": "all firmware versions"
}
]
},
{
"defaultStatus": "affected",
"product": "SICK FTMG-ESD20AXX AIR FLOW SENSOR",
"vendor": "SICK AG",
"versions": [
{
"status": "affected",
"version": "all firmware versions"
}
]
},
{
"defaultStatus": "affected",
"product": "SICK FTMG-ESD25AXX AIR FLOW SENSOR",
"vendor": "SICK AG",
"versions": [
{
"status": "affected",
"version": "all firmware versions"
}
]
},
{
"defaultStatus": "affected",
"product": "SICK FTMG-ESN40SXX AIR FLOW SENSOR",
"vendor": "SICK AG",
"versions": [
{
"status": "affected",
"version": "all firmware versions"
}
]
},
{
"defaultStatus": "affected",
"product": "SICK FTMG-ESN50SXX AIR FLOW SENSOR",
"vendor": "SICK AG",
"versions": [
{
"status": "affected",
"version": "all firmware versions"
}
]
},
{
"defaultStatus": "affected",
"product": "SICK FTMG-ESR40SXX AIR FLOW SENSOR",
"vendor": "SICK AG",
"versions": [
{
"status": "affected",
"version": "all firmware versions"
}
]
},
{
"defaultStatus": "affected",
"product": "SICK FTMG-ESR50SXX AIR FLOW SENSOR",
"vendor": "SICK AG",
"versions": [
{
"status": "affected",
"version": "all firmware versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Observable Response Discrepancy in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows a remote attacker\nto gain information about valid usernames by analyzing challenge responses from the server via the\nREST interface."
}
],
"value": "Observable Response Discrepancy in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows a remote attacker\nto gain information about valid usernames by analyzing challenge responses from the server via the\nREST interface."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T12:21:55.635Z",
"orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
"shortName": "SICK AG"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://sick.com/psirt"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0004.pdf"
},
{
"tags": [
"x_csaf"
],
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0004.json"
}
],
"source": {
"discovery": "INTERNAL"
},
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Please make sure that you apply general security practices when operating the SICK FTMg\nlike network segmentation. The following General Security Practices and Operating Guidelines could\nmitigate the associated security risk."
}
],
"value": "Please make sure that you apply general security practices when operating the SICK FTMg\nlike network segmentation. The following General Security Practices and Operating Guidelines could\nmitigate the associated security risk."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
"assignerShortName": "SICK AG",
"cveId": "CVE-2023-23449",
"datePublished": "2023-05-15T10:54:46.463Z",
"dateReserved": "2023-01-12T04:07:53.939Z",
"dateUpdated": "2026-06-01T12:21:55.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4095 (GCVE-0-2023-4095)
Vulnerability from cvelistv5 – Published: 2023-09-19 13:22 – Updated: 2024-09-25 15:28- CWE-204 - Observable Response Discrepancy
| Vendor | Product | Version | |
|---|---|---|---|
| Fujitsu | Arconte Áurea |
Affected:
0 , < 1.5.0.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:11.776Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fujitsu-arconte-aurea"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4095",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T15:27:54.388770Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T15:28:11.045Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Arconte \u00c1urea",
"vendor": "Fujitsu ",
"versions": [
{
"lessThan": "1.5.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Pablo Arias Rodriguez and Jorge Alberto Palma Reyes, members of CSIRT-CV"
}
],
"datePublic": "2023-09-01T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "User enumeration vulnerability in Arconte \u00c1urea 1.5.0.0 version. The exploitation of this vulnerability could allow an attacker to obtain a list of registered users in the application, obtaining the necessary information to perform more complex attacks on the platform."
}
],
"value": "User enumeration vulnerability in Arconte \u00c1urea 1.5.0.0 version. The exploitation of this vulnerability could allow an attacker to obtain a list of registered users in the application, obtaining the necessary information to perform more complex attacks on the platform."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-19T13:22:30.888Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fujitsu-arconte-aurea"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerabilities have been fixed by Fujitsu in version 1.5.0.0, released on 4/4/2022. All new versions of the product, including the latest 1.6.2.3, also include the fixes."
}
],
"value": "This vulnerabilities have been fixed by Fujitsu in version 1.5.0.0, released on 4/4/2022. All new versions of the product, including the latest 1.6.2.3, also include the fixes."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "User enumeration vulnerability in Fujitsu Arconte \u00c1urea",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2023-4095",
"datePublished": "2023-09-19T13:22:30.888Z",
"dateReserved": "2023-08-02T11:05:17.537Z",
"dateUpdated": "2024-09-25T15:28:11.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-331: ICMP IP Total Length Field Probe
An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.
CAPEC-332: ICMP IP 'ID' Field Error Message Probe
An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.
CAPEC-541: Application Fingerprinting
An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.
CAPEC-580: System Footprinting
An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.