CWE-203
AllowedObservable Discrepancy
Abstraction: Base · Status: Incomplete
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.
836 vulnerabilities reference this CWE, most recent first.
GHSA-JQ4F-HHCJ-JMWX
Vulnerability from github – Published: 2022-08-13 00:00 – Updated: 2022-08-16 00:00In ContentResolver, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-190726121
{
"affected": [],
"aliases": [
"CVE-2022-20316"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-12T15:15:00Z",
"severity": "LOW"
},
"details": "In ContentResolver, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-190726121",
"id": "GHSA-jq4f-hhcj-jmwx",
"modified": "2022-08-16T00:00:23Z",
"published": "2022-08-13T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20316"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JQ9V-W478-9X4W
Vulnerability from github – Published: 2023-10-30 18:30 – Updated: 2023-11-07 03:30In InputMethod, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2023-21331"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-30T17:15:49Z",
"severity": "MODERATE"
},
"details": "In InputMethod, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-jq9v-w478-9x4w",
"modified": "2023-11-07T03:30:25Z",
"published": "2023-10-30T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21331"
},
{
"type": "WEB",
"url": "https://source.android.com/docs/security/bulletin/android-14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JR94-GJ3H-C8RF
Vulnerability from github – Published: 2026-02-12 22:13 – Updated: 2026-02-13 17:15Summary
A timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration.
Details
The password reset endpoint implements a timing protection mechanism to prevent user enumeration; however, URL validation executes before the timing protection is applied. This allows an attacker to distinguish between valid and invalid user accounts based on response timing differences.
Impact
This vulnerability violates user privacy and may facilitate targeted phishing attacks by allowing attackers to confirm the existence of user accounts.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.14.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@directus/api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "32.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26185"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-12T22:13:04Z",
"nvd_published_at": "2026-02-12T22:16:07Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nA timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration.\n\n### Details\n\nThe password reset endpoint implements a timing protection mechanism to prevent user enumeration; however, URL validation executes before the timing protection is applied. This allows an attacker to distinguish between valid and invalid user accounts based on response timing differences.\n\n### Impact\n\nThis vulnerability violates user privacy and may facilitate targeted phishing attacks by allowing attackers to confirm the existence of user accounts.",
"id": "GHSA-jr94-gj3h-c8rf",
"modified": "2026-02-13T17:15:48Z",
"published": "2026-02-12T22:13:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26185"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/pull/26485"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/commit/e69aa7a5248c6e3e822cb1ac354dee295df90b2a"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/releases/tag/v11.14.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directus Vulnerable to User Enumeration via Password Reset Timing Attack"
}
GHSA-JVFR-JF2P-RC53
Vulnerability from github – Published: 2025-03-21 06:30 – Updated: 2025-03-21 06:30An issue was discovered in OpenSlides before 4.2.5. During login at the /system/auth/login/ endpoint, the system's response times differ depending on whether a user exists in the system. The timing discrepancy stems from the omitted hashing of the password (e.g., more than 100 milliseconds).
{
"affected": [],
"aliases": [
"CVE-2025-30344"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-208"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-21T06:15:26Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in OpenSlides before 4.2.5. During login at the /system/auth/login/ endpoint, the system\u0027s response times differ depending on whether a user exists in the system. The timing discrepancy stems from the omitted hashing of the password (e.g., more than 100 milliseconds).",
"id": "GHSA-jvfr-jf2p-rc53",
"modified": "2025-03-21T06:30:27Z",
"published": "2025-03-21T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30344"
},
{
"type": "WEB",
"url": "https://www.x41-dsec.de/lab/advisories/x41-2025-001-OpenSlides"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JVJ3-GQJM-CG8P
Vulnerability from github – Published: 2023-11-28 12:31 – Updated: 2025-11-04 21:30A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.
{
"affected": [],
"aliases": [
"CVE-2023-5981"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-208"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-28T12:15:07Z",
"severity": "HIGH"
},
"details": "A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.",
"id": "GHSA-jvj3-gqjm-cg8p",
"modified": "2025-11-04T21:30:48Z",
"published": "2023-11-28T12:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5981"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0155"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0319"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0399"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0451"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0533"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1383"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2094"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-5981"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248445"
},
{
"type": "WEB",
"url": "https://gnutls.org/security-new.html#GNUTLS-SA-2023-10-23"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00016.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/19/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JVQ2-W86Q-PW44
Vulnerability from github – Published: 2023-05-30 21:30 – Updated: 2024-04-04 04:23Avaya IX Workforce Engagement v15.2.7.1195 - User Enumeration - Observable Response Discrepancy
{
"affected": [],
"aliases": [
"CVE-2023-31186"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-30T20:15:10Z",
"severity": "MODERATE"
},
"details": "Avaya IX Workforce Engagement v15.2.7.1195 - User Enumeration - Observable Response Discrepancy",
"id": "GHSA-jvq2-w86q-pw44",
"modified": "2024-04-04T04:23:59Z",
"published": "2023-05-30T21:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31186"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JWCX-M84W-H98G
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2025-01-31 21:32The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to read the system files and to retrieve the password of the supervisor from the encrypted file.
{
"affected": [],
"aliases": [
"CVE-2023-28770"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-27T09:15:09Z",
"severity": "HIGH"
},
"details": "The sensitive information exposure vulnerability in the CGI \u201cExport_Log\u201d and the binary \u201czcmd\u201d in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to read the system files and to retrieve the password of the supervisor from the encrypted file.",
"id": "GHSA-jwcx-m84w-h98g",
"modified": "2025-01-31T21:32:44Z",
"published": "2023-07-06T19:24:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28770"
},
{
"type": "WEB",
"url": "https://packetstorm.news/files/id/172277"
},
{
"type": "WEB",
"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/172277/Zyxel-Chained-Remote-Code-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JWJH-W2WP-2GVV
Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-05-24 17:19Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka "straight-line speculation."
{
"affected": [],
"aliases": [
"CVE-2020-13844"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-08T23:15:00Z",
"severity": "LOW"
},
"details": "Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka \"straight-line speculation.\"",
"id": "GHSA-jwjh-w2wp-2gvv",
"modified": "2022-05-24T17:19:36Z",
"published": "2022-05-24T17:19:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13844"
},
{
"type": "WEB",
"url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability"
},
{
"type": "WEB",
"url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation"
},
{
"type": "WEB",
"url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions"
},
{
"type": "WEB",
"url": "https://gcc.gnu.org/pipermail/gcc-patches/2020-June/547520.html"
},
{
"type": "WEB",
"url": "http://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00039.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00040.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JXQV-JCVH-7GR4
Vulnerability from github – Published: 2022-07-30 00:00 – Updated: 2024-05-20 21:28The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 is vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/runatlantis/atlantis"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.19.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24912"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-208"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-06T05:21:43Z",
"nvd_published_at": "2022-07-29T10:15:00Z",
"severity": "HIGH"
},
"details": "The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 is vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.",
"id": "GHSA-jxqv-jcvh-7gr4",
"modified": "2024-05-20T21:28:30Z",
"published": "2022-07-30T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24912"
},
{
"type": "WEB",
"url": "https://github.com/runatlantis/atlantis/issues/2391"
},
{
"type": "WEB",
"url": "https://github.com/runatlantis/atlantis/pull/2392"
},
{
"type": "WEB",
"url": "https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820"
},
{
"type": "PACKAGE",
"url": "https://github.com/runatlantis/atlantis"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0534"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Atlantis Events vulnerable to Timing Attack"
}
GHSA-JXV6-M6PM-CQH2
Vulnerability from github – Published: 2023-12-19 15:30 – Updated: 2023-12-22 12:31Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". This attack could potentially allow an attacker to recover the private key. This vulnerability affects Firefox < 121.
{
"affected": [],
"aliases": [
"CVE-2023-6135"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-19T14:15:07Z",
"severity": "MODERATE"
},
"details": "Multiple NSS NIST curves were susceptible to a side-channel attack known as \"Minerva\". This attack could potentially allow an attacker to recover the private key. This vulnerability affects Firefox \u003c 121.",
"id": "GHSA-jxv6-m6pm-cqh2",
"modified": "2023-12-22T12:31:46Z",
"published": "2023-12-19T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6135"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1853908"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202401-10"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2023-56"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering
An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.