Common Weakness Enumeration

CWE-203

Allowed

Observable Discrepancy

Abstraction: Base · Status: Incomplete

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

836 vulnerabilities reference this CWE, most recent first.

GHSA-C6WG-CM5X-RQVJ

Vulnerability from github – Published: 2023-03-07 17:38 – Updated: 2023-03-07 17:38
VLAI
Summary
OpenSearch has time discrepancy in authentication responses
Details

Impact

There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs.

Patches

OpenSearch 1.3.9 and 2.6.0

Workarounds

None.

References

If you have any questions or comments about this advisory, please contact AWS/Amazon Security using our issue reporting page [1] or directly via email [2]. Please do not create a public GitHub issue.

[1] AWS Security issue reporting page: https://aws.amazon.com/security/vulnerability-reporting/ [2] AWS Security email: aws-security@amazon.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opensearch.plugin:opensearch-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opensearch.plugin:opensearch-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25806"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-07T17:38:38Z",
    "nvd_published_at": "2023-03-02T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThere is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs.\n\n### Patches\nOpenSearch 1.3.9 and 2.6.0\n\n### Workarounds\nNone.\n\n### References\nIf you have any questions or comments about this advisory, please contact AWS/Amazon Security using our issue reporting page [1] or directly via email [2]. Please do not create a public GitHub issue.\n\n[1] AWS Security issue reporting page: https://aws.amazon.com/security/vulnerability-reporting/\n[2] AWS Security email: [aws-security@amazon.com](mailto:aws-security@amazon.com)",
  "id": "GHSA-c6wg-cm5x-rqvj",
  "modified": "2023-03-07T17:38:38Z",
  "published": "2023-03-07T17:38:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/security/security/advisories/GHSA-c6wg-cm5x-rqvj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25806"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/security/pull/2472"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opensearch-project/security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenSearch has time discrepancy in authentication responses"
}

GHSA-C6XH-PW62-QH2J

Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:37
VLAI
Details

On Archos Safe-T devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN and BIP39 mnemonic. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14358"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-02T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "On Archos Safe-T devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN and BIP39 mnemonic. In other words, the side channel is relevant only if the attacker has enough control over the device\u0027s USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data.",
  "id": "GHSA-c6xh-pw62-qh2j",
  "modified": "2024-04-04T02:37:42Z",
  "published": "2022-05-24T17:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14358"
    },
    {
      "type": "WEB",
      "url": "https://blog.inhq.net/posts/oled-side-channel-status-summary"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C76G-76CJ-G742

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:08
VLAI
Details

Smart cards from the Athena SCS manufacturer, based on the Atmel Toolbox 00.03.11.05 and the AT90SC chip, contain a timing side channel in ECDSA signature generation. This allows a local attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The issue occurs because the Atmel Toolbox 00.03.11.05 contains two versions of ECDSA signature functions, described as fast and secure, but the affected cards chose to use the fast version, which leaks the bit length of the random nonce via timing. This affects Athena IDProtect 010b.0352.0005, Athena IDProtect 010e.1245.0002, Athena IDProtect 0106.0130.0401, Athena IDProtect 010e.1245.0002, Valid S/A IDflex V 010b.0352.0005, SafeNet eToken 4300 010e.1245.0002, TecSec Armored Card 010e.0264.0001, and TecSec Armored Card 108.0264.0001.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-15809"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-03T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Smart cards from the Athena SCS manufacturer, based on the Atmel Toolbox 00.03.11.05 and the AT90SC chip, contain a timing side channel in ECDSA signature generation. This allows a local attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The issue occurs because the Atmel Toolbox 00.03.11.05 contains two versions of ECDSA signature functions, described as fast and secure, but the affected cards chose to use the fast version, which leaks the bit length of the random nonce via timing. This affects Athena IDProtect 010b.0352.0005, Athena IDProtect 010e.1245.0002, Athena IDProtect 0106.0130.0401, Athena IDProtect 010e.1245.0002, Valid S/A IDflex V 010b.0352.0005, SafeNet eToken 4300 010e.1245.0002, TecSec Armored Card 010e.0264.0001, and TecSec Armored Card 108.0264.0001.",
  "id": "GHSA-c76g-76cj-g742",
  "modified": "2024-04-04T02:08:25Z",
  "published": "2022-05-24T16:57:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15809"
    },
    {
      "type": "WEB",
      "url": "https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/details?source=ECDSA\u0026number=214"
    },
    {
      "type": "WEB",
      "url": "https://eprint.iacr.org/2011/232.pdf"
    },
    {
      "type": "WEB",
      "url": "https://minerva.crocs.fi.muni.cz"
    },
    {
      "type": "WEB",
      "url": "https://tches.iacr.org/index.php/TCHES/article/view/7337"
    },
    {
      "type": "WEB",
      "url": "https://www.ssi.gouv.fr/certification_cc/bibliotheque-cryptographique-atmel-toolbox-00-03-11-05"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/10/02/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C7RP-5PRQ-C624

Vulnerability from github – Published: 2024-02-02 18:30 – Updated: 2024-02-09 21:30
VLAI
Details

Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain an Observable Timing Discrepancy Vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21575"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-02T16:15:45Z",
    "severity": "MODERATE"
  },
  "details": "\nDell BSAFE Micro Edition Suite,\u00a0versions before 4.5.2, contain an Observable Timing Discrepancy Vulnerability.\n\n",
  "id": "GHSA-c7rp-5prq-c624",
  "modified": "2024-02-09T21:30:57Z",
  "published": "2024-02-02T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21575"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000189462/dsa-2021-131-dell-bsafetm-micro-edition-suite-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C7VV-QR7X-G477

Vulnerability from github – Published: 2022-04-29 03:01 – Updated: 2022-04-29 03:01
VLAI
Details

The firewall in Astaro Security Linux before 4.024 sends responses to SYN-FIN packets, which makes it easier for remote attackers to obtain information about the system and construct specialized attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2004-2252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2004-12-31T05:00:00Z",
    "severity": "MODERATE"
  },
  "details": "The firewall in Astaro Security Linux before 4.024 sends responses to SYN-FIN packets, which makes it easier for remote attackers to obtain information about the system and construct specialized attacks.",
  "id": "GHSA-c7vv-qr7x-g477",
  "modified": "2022-04-29T03:01:05Z",
  "published": "2022-04-29T03:01:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2004-2252"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17960"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/13089"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1012065"
    },
    {
      "type": "WEB",
      "url": "http://www.astaro.org/showflat.php?Cat=\u0026Number=51459\u0026page=0\u0026view=collapsed\u0026sb=5\u0026o=\u0026fpart=1#51459"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/11407"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CF4Q-V7MM-G53Q

Vulnerability from github – Published: 2024-09-03 21:31 – Updated: 2024-09-12 21:32
VLAI
Details

Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45678"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-03T20:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.",
  "id": "GHSA-cf4q-v7mm-g53q",
  "modified": "2024-09-12T21:32:01Z",
  "published": "2024-09-03T21:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45678"
    },
    {
      "type": "WEB",
      "url": "https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=41434500"
    },
    {
      "type": "WEB",
      "url": "https://ninjalab.io/eucleak"
    },
    {
      "type": "WEB",
      "url": "https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf"
    },
    {
      "type": "WEB",
      "url": "https://support.yubico.com/hc/en-us/articles/15705749884444"
    },
    {
      "type": "WEB",
      "url": "https://www.yubico.com/support/security-advisories/ysa-2024-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CG5M-P8PG-93CG

Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2025-03-27 12:30
VLAI
Details

Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection mode via a timing attack given the linear nature of the !== used for comparison.

The risk is minified by the additional overhead of the request, which varies in a non-constant nature making the attack less reliable to execute

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0436"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-764"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-26T16:27:50Z",
    "severity": "HIGH"
  },
  "details": "Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection mode via a timing attack given the linear nature of the `!==` used for comparison.\n\nThe risk is minified by the additional overhead of the request, which varies in a non-constant nature making the attack less reliable to execute",
  "id": "GHSA-cg5m-p8pg-93cg",
  "modified": "2025-03-27T12:30:34Z",
  "published": "2024-02-26T18:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0436"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mintplex-labs/anything-llm/commit/3c859ba3038121b67fb98e87dc52617fa27cbef0"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/3e73cb96-c038-46a1-81b7-4d2215b36268"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJ89-CWCX-M929

Vulnerability from github – Published: 2022-11-21 09:30 – Updated: 2022-11-30 15:30
VLAI
Details

A vulnerability was found in iPXE. It has been declared as problematic. This vulnerability affects the function tls_new_ciphertext of the file src/net/tls.c of the component TLS. The manipulation of the argument pad_len leads to information exposure through discrepancy. The name of the patch is 186306d6199096b7a7c4b4574d4be8cdb8426729. It is recommended to apply a patch to fix this issue. VDB-214054 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4087"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-21T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in iPXE. It has been declared as problematic. This vulnerability affects the function tls_new_ciphertext of the file src/net/tls.c of the component TLS. The manipulation of the argument pad_len leads to information exposure through discrepancy. The name of the patch is 186306d6199096b7a7c4b4574d4be8cdb8426729. It is recommended to apply a patch to fix this issue. VDB-214054 is the identifier assigned to this vulnerability.",
  "id": "GHSA-cj89-cwcx-m929",
  "modified": "2022-11-30T15:30:26Z",
  "published": "2022-11-21T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4087"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.214054"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJP5-P4X3-X7JG

Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2024-01-04 03:30
VLAI
Details

An information disclosure vulnerability exists on ARM implementations that use speculative execution in control flow via a side-channel analysis, aka "straight-line speculation, aka 'Windows ARM Information Disclosure Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-17T19:15:00Z",
    "severity": "LOW"
  },
  "details": "An information disclosure vulnerability exists on ARM implementations that use speculative execution in control flow via a side-channel analysis, aka \u0026quot;straight-line speculation, aka \u0027Windows ARM Information Disclosure Vulnerability\u0027.",
  "id": "GHSA-cjp5-p4x3-x7jg",
  "modified": "2024-01-04T03:30:32Z",
  "published": "2022-05-24T17:25:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1459"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1459"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CM2Q-67XF-JW8C

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2023-02-20 18:30
VLAI
Details

During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-12401"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-327"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-08T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox \u003c 80 and Firefox for Android \u003c 80.",
  "id": "GHSA-cm2q-67xf-jw8c",
  "modified": "2023-02-20T18:30:17Z",
  "published": "2022-05-24T17:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12401"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1631573"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2020-36"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2020-39"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering

An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.