Common Weakness Enumeration

CWE-203

Allowed

Observable Discrepancy

Abstraction: Base · Status: Incomplete

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

836 vulnerabilities reference this CWE, most recent first.

GHSA-56PM-3VMF-87QJ

Vulnerability from github – Published: 2023-10-30 18:30 – Updated: 2023-11-03 21:30
VLAI
Details

In Package Manager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21349"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-30T17:15:51Z",
    "severity": "LOW"
  },
  "details": "In Package Manager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-56pm-3vmf-87qj",
  "modified": "2023-11-03T21:30:24Z",
  "published": "2023-10-30T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21349"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/docs/security/bulletin/android-14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-575W-JRPQ-Q9XV

Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2022-05-13 01:12
VLAI
Details

A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16869"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-03T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
  "id": "GHSA-575w-jrpq-q9xv",
  "modified": "2022-05-13T01:12:24Z",
  "published": "2022-05-13T01:12:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16869"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16869"
    },
    {
      "type": "WEB",
      "url": "http://cat.eyalro.net"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106092"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-579X-CJVR-CQJ9

Vulnerability from github – Published: 2021-09-20 19:53 – Updated: 2021-09-17 18:38
VLAI
Summary
Observable Response Discrepancy in Lost Password Service
Details

Impact

It is possible to enumerate usernames via the forgot password functionality

Patches

Update to version 10.1.3 or apply this patch manually: https://github.com/pimcore/pimcore/pull/10223.patch

Workarounds

Apply https://github.com/pimcore/pimcore/pull/10223.patch manually.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/pimcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-17T18:38:47Z",
    "nvd_published_at": "2021-09-15T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nIt is possible to enumerate usernames via the forgot password functionality\n\n### Patches\nUpdate to version `10.1.3` or apply this patch manually: https://github.com/pimcore/pimcore/pull/10223.patch\n\n### Workarounds\nApply https://github.com/pimcore/pimcore/pull/10223.patch manually. \n",
  "id": "GHSA-579x-cjvr-cqj9",
  "modified": "2021-09-17T18:38:47Z",
  "published": "2021-09-20T19:53:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-579x-cjvr-cqj9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39189"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/pull/10223.patch"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/pull/10223/commits/d0a4de39cf05dce6af71f8ca039132bdfcbb0dce"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/pimcore"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/12462a99-ebf8-4e39-80b3-54a16caa3f4c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Observable Response Discrepancy in Lost Password Service"
}

GHSA-57R8-4369-33XG

Vulnerability from github – Published: 2023-05-25 21:30 – Updated: 2024-04-04 04:20
VLAI
Details

The server component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains a vulnerability that allows an attacker with low-privileged application access to read system files that are accessible to the web server. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions 4.5.16 and below.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-25T19:15:14Z",
    "severity": "MODERATE"
  },
  "details": "The server component of TIBCO Software Inc.\u0027s TIBCO EBX Add-ons contains a vulnerability that allows an attacker with low-privileged application  access to read system files that are accessible to the web server. Affected releases are TIBCO Software Inc.\u0027s TIBCO EBX Add-ons: versions 4.5.16 and below.\n\n",
  "id": "GHSA-57r8-4369-33xg",
  "modified": "2024-04-04T04:20:28Z",
  "published": "2023-05-25T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26215"
    },
    {
      "type": "WEB",
      "url": "https://www.tibco.com/services/support/advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58F3-GJMV-9J5X

Vulnerability from github – Published: 2021-12-16 00:00 – Updated: 2021-12-18 00:01
VLAI
Details

In startRanging of RttServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-194798757

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1026"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In startRanging of RttServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-194798757",
  "id": "GHSA-58f3-gjmv-9j5x",
  "modified": "2021-12-18T00:01:12Z",
  "published": "2021-12-16T00:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1026"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-58F5-HFQC-JGCH

Vulnerability from github – Published: 2021-04-19 14:57 – Updated: 2021-04-16 23:01
VLAI
Summary
Padding Oracle Attack due to Observable Timing Discrepancy in jose
Details

jose is an npm library providing a number of cryptographic operations.

Impact

AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block).

Patches

All major release versions have had a patch released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are ^1.28.1 || ^2.0.5 || >=3.11.4.

Users should upgrade their v1.x dependency to ^1.28.1, their v2.x dependency to ^2.0.5, and their v3.x dependency to ^3.11.4

Credits

Thanks to Morgan Brown of Microsoft for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jose"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.28.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "jose"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "jose"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.11.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29443"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-696"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-16T23:01:38Z",
    "nvd_published_at": "2021-04-16T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "jose is an npm library providing a number of cryptographic operations.\n### Impact\n\n[AES_CBC_HMAC_SHA2 Algorithm](https://tools.ietf.org/html/rfc7518#section-5.2) (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block).\n\n### Patches\n\nAll major release versions have had a patch released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `^1.28.1 || ^2.0.5 || \u003e=3.11.4`.\n\nUsers should upgrade their v1.x dependency to [`^1.28.1`](https://github.com/panva/jose/releases/tag/v1.28.1), their v2.x dependency to [`^2.0.5`](https://github.com/panva/jose/releases/tag/v2.0.5), and their v3.x dependency to [`^3.11.4`](https://github.com/panva/jose/releases/tag/v3.11.4)\n\n### Credits\nThanks to Morgan Brown of Microsoft for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory.",
  "id": "GHSA-58f5-hfqc-jgch",
  "modified": "2021-04-16T23:01:38Z",
  "published": "2021-04-19T14:57:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/panva/jose/security/advisories/GHSA-58f5-hfqc-jgch"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29443"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/jose"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Padding Oracle Attack due to Observable Timing Discrepancy in jose"
}

GHSA-58RR-W6GV-4P4H

Vulnerability from github – Published: 2024-06-10 03:30 – Updated: 2024-06-12 18:30
VLAI
Details

The Kyber reference implementation before 9b8d306, when compiled by LLVM Clang through 18.x with some common optimization options, has a timing side channel that allows attackers to recover an ML-KEM 512 secret key in minutes. This occurs because poly_frommsg in poly.c does not prevent Clang from emitting a vulnerable secret-dependent branch.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37880"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-10T02:15:47Z",
    "severity": "HIGH"
  },
  "details": "The Kyber reference implementation before 9b8d306, when compiled by LLVM Clang through 18.x with some common optimization options, has a timing side channel that allows attackers to recover an ML-KEM 512 secret key in minutes. This occurs because poly_frommsg in poly.c does not prevent Clang from emitting a vulnerable secret-dependent branch.",
  "id": "GHSA-58rr-w6gv-4p4h",
  "modified": "2024-06-12T18:30:38Z",
  "published": "2024-06-10T03:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37880"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pq-crystals/kyber/commit/9b8d30698a3e7449aeb34e62339d4176f11e3c6c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/antoonpurnal/clangover"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=40577486"
    },
    {
      "type": "WEB",
      "url": "https://pqshield.com/pqshield-plugs-timing-leaks-in-kyber-ml-kem-to-improve-pqc-implementation-maturity"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/purnaltoon/status/1797644696568959476"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58WF-97F5-PJQP

Vulnerability from github – Published: 2026-07-09 21:31 – Updated: 2026-07-10 18:32
VLAI
Details

An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid and invalid usernames based on variations in server responses. This information can be leveraged to identify existing accounts and facilitate further attacks, including brute-force or credential stuffing.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-51926"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-09T21:16:55Z",
    "severity": "HIGH"
  },
  "details": "An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid and invalid usernames based on variations in server responses. This information can be leveraged to identify existing accounts and facilitate further attacks, including brute-force or credential stuffing.",
  "id": "GHSA-58wf-97f5-pjqp",
  "modified": "2026-07-10T18:32:08Z",
  "published": "2026-07-09T21:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-51926"
    },
    {
      "type": "WEB",
      "url": "https://docuform.de"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/ZeroBreach-GmbH"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5FRX-2QVR-6R92

Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 21:31
VLAI
Details

An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31742"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-22T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals. This vulnerability affects Thunderbird \u003c 91.10, Firefox \u003c 101, and Firefox ESR \u003c 91.10.",
  "id": "GHSA-5frx-2qvr-6r92",
  "modified": "2025-04-15T21:31:24Z",
  "published": "2022-12-22T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31742"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1730434"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-20"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-21"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5G37-XX8Q-6W6X

Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2024-02-15 21:31
VLAI
Details

An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access (and consequently produce a clone). This was demonstrated on the Google Titan Security Key, based on an NXP A7005a chip. Other FIDO U2F security keys are also impacted (Yubico YubiKey Neo and Feitian K9, K13, K21, and K40) as well as several NXP JavaCard smartcards (J3A081, J2A081, J3A041, J3D145_M59, J2D145_M59, J3D120_M60, J3D082_M60, J2D120_M60, J2D082_M60, J3D081_M59, J2D081_M59, J3D081_M61, J2D081_M61, J3D081_M59_DF, J3D081_M61_DF, J3E081_M64, J3E081_M66, J2E081_M64, J3E041_M66, J3E016_M66, J3E016_M64, J3E041_M64, J3E145_M64, J3E120_M65, J3E082_M65, J2E145_M64, J2E120_M65, J2E082_M65, J3E081_M64_DF, J3E081_M66_DF, J3E041_M66_DF, J3E016_M66_DF, J3E041_M64_DF, and J3E016_M64_DF).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-670"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-07T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access (and consequently produce a clone). This was demonstrated on the Google Titan Security Key, based on an NXP A7005a chip. Other FIDO U2F security keys are also impacted (Yubico YubiKey Neo and Feitian K9, K13, K21, and K40) as well as several NXP JavaCard smartcards (J3A081, J2A081, J3A041, J3D145_M59, J2D145_M59, J3D120_M60, J3D082_M60, J2D120_M60, J2D082_M60, J3D081_M59, J2D081_M59, J3D081_M61, J2D081_M61, J3D081_M59_DF, J3D081_M61_DF, J3E081_M64, J3E081_M66, J2E081_M64, J3E041_M66, J3E016_M66, J3E016_M64, J3E041_M64, J3E145_M64, J3E120_M65, J3E082_M65, J2E145_M64, J2E120_M65, J2E082_M65, J3E081_M64_DF, J3E081_M66_DF, J3E041_M66_DF, J3E016_M66_DF, J3E041_M64_DF, and J3E016_M64_DF).",
  "id": "GHSA-5g37-xx8q-6w6x",
  "modified": "2024-02-15T21:31:25Z",
  "published": "2022-05-24T17:38:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3011"
    },
    {
      "type": "WEB",
      "url": "https://ninjalab.io/a-side-journey-to-titan"
    },
    {
      "type": "WEB",
      "url": "https://ninjalab.io/wp-content/uploads/2021/01/a_side_journey_to_titan.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering

An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.