CWE-204
AllowedObservable Response Discrepancy
Abstraction: Base · Status: Incomplete
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
297 vulnerabilities reference this CWE, most recent first.
GHSA-QHP6-635J-X7R2
Vulnerability from github – Published: 2026-02-20 18:25 – Updated: 2026-02-23 22:28Summary
A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks.
Details
SWS validates the provided username before performing any password verification.
- Invalid Username: The server returns a 401 Unauthorized response immediately.
- Valid Username: The server proceeds to verify the password (e.g., using bcrypt), which introduces a different execution path and measurable timing discrepancy.
This allows an attacker to distinguish between existing and non-existing accounts by analyzing response times.
PoC
The following statistical results were obtained by measuring the mean response time over 100 iterations using a custom Rust script:
| User Type | Average Response Time |
|---|---|
| Invalid User | 0.409861 ms |
| Valid User | 0.250925 ms |
| Difference | ~0.158936 ms |
While the valid user responded faster in this specific test environment, the statistically significant gap confirms that the authentication logic does not execute in constant time.
Impact
Users using the SWS' Basic Authentication feature are primarily impacted.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "static-web-server"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.41.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27480"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-20T18:25:27Z",
"nvd_published_at": "2026-02-21T10:16:12Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nA Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks.\n\n## Details\n\nSWS validates the provided username before performing any password verification.\n- **Invalid Username:** The server returns a `401 Unauthorized` response immediately.\n- **Valid Username:** The server proceeds to verify the password (e.g., using `bcrypt`), which introduces a different execution path and measurable timing discrepancy.\n\nThis allows an attacker to distinguish between existing and non-existing accounts by analyzing response times.\n\n## PoC\n\nThe following statistical results were obtained by measuring the mean response time over 100 iterations using a custom Rust script:\n\n| User Type | Average Response Time |\n| :--- | :--- |\n| **Invalid User** | 0.409861 ms |\n| **Valid User** | 0.250925 ms |\n| **Difference** | **~0.158936 ms** |\n\nWhile the valid user responded faster in this specific test environment, the statistically significant gap confirms that the authentication logic does not execute in constant time.\n\n## Impact\n\nUsers using the SWS\u0027 Basic Authentication feature are primarily impacted.",
"id": "GHSA-qhp6-635j-x7r2",
"modified": "2026-02-23T22:28:57Z",
"published": "2026-02-20T18:25:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27480"
},
{
"type": "WEB",
"url": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1"
},
{
"type": "PACKAGE",
"url": "https://github.com/static-web-server/static-web-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames"
}
GHSA-QXRW-F6FH-34R7
Vulnerability from github – Published: 2026-05-06 23:49 – Updated: 2026-05-06 23:49Summary
The unauthenticated resend-verification endpoint returns different responses for registered and unregistered email addresses. A malicious third party can submit candidate addresses to /api/v4/account/auth/resend_verification_email and distinguish accounts from misses.
Details
resend_verification_email() looks up the submitted address and returns the lookup error to the caller:
let local_user_view = LocalUserView::find_by_email(&mut context.pool(), &email).await?;
check_local_user_valid(&local_user_view)?;
The password reset endpoint already uses a safer pattern. It discards lookup errors and returns success, which prevents the same account-discovery channel.
Proof of Concept
The following script creates one user and probes that address plus a missing address.
import requests, random, string
BASE = "http://127.0.0.1:8536/api/v4" # change to the target Lemmy URL
ADMIN_USER = "lemmy"
ADMIN_PASS = "lemmylemmy"
PASSWORD = "Password123456!"
def post(path, **body):
return requests.post(BASE + path, json=body)
suffix = "enum" + "".join(random.choice(string.ascii_lowercase) for _ in range(6))
admin = post("/account/auth/login", username_or_email=ADMIN_USER, password=ADMIN_PASS).json()["jwt"]
requests.put(BASE + "/site", headers={"Authorization": "Bearer " + admin},
json={"registration_mode": "open", "email_verification_required": False})
email = "alice" + suffix + "@example.test"
post("/account/auth/register", username="alice" + suffix, password=PASSWORD,
password_verify=PASSWORD, email=email).raise_for_status()
for candidate in [email, "missing" + suffix + "@example.test"]:
r = post("/account/auth/resend_verification_email", email=candidate)
print(candidate, "HTTP", r.status_code, r.text[:300])
Output:
alicepoceudtpf@example.test HTTP 200 {"success":true}
missingpoceudtpf@example.test HTTP 404 {"error":"not_found","cause":"Record not found"}
Impact
A malicious third party can enumerate registered email addresses without authentication. The endpoint uses the registration rate limit bucket, not an endpoint-specific anti-enumeration limit, so the attacker can automate probes across candidate address lists. The response also distinguishes missing accounts from banned or deleted accounts because check_local_user_valid() returns separate error types.
Recommended Fix
Use the password-reset pattern for resend verification. Move the lookup and email-send work into a helper, ignore helper errors in the handler, and always return {"success": true} for syntactically valid input.
Found by aisafe.io
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "lemmy_api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.19.1-rc.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T23:49:18Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe unauthenticated resend-verification endpoint returns different responses for registered and unregistered email addresses. A malicious third party can submit candidate addresses to `/api/v4/account/auth/resend_verification_email` and distinguish accounts from misses.\n\n## Details\n\n`resend_verification_email()` looks up the submitted address and returns the lookup error to the caller:\n\n```rust\nlet local_user_view = LocalUserView::find_by_email(\u0026mut context.pool(), \u0026email).await?;\ncheck_local_user_valid(\u0026local_user_view)?;\n```\n\nThe password reset endpoint already uses a safer pattern. It discards lookup errors and returns success, which prevents the same account-discovery channel.\n\n## Proof of Concept\n\nThe following script creates one user and probes that address plus a missing address.\n\n```python\nimport requests, random, string\n\nBASE = \"http://127.0.0.1:8536/api/v4\" # change to the target Lemmy URL\nADMIN_USER = \"lemmy\"\nADMIN_PASS = \"lemmylemmy\"\nPASSWORD = \"Password123456!\"\n\ndef post(path, **body):\n return requests.post(BASE + path, json=body)\n\nsuffix = \"enum\" + \"\".join(random.choice(string.ascii_lowercase) for _ in range(6))\nadmin = post(\"/account/auth/login\", username_or_email=ADMIN_USER, password=ADMIN_PASS).json()[\"jwt\"]\nrequests.put(BASE + \"/site\", headers={\"Authorization\": \"Bearer \" + admin},\n json={\"registration_mode\": \"open\", \"email_verification_required\": False})\n\nemail = \"alice\" + suffix + \"@example.test\"\npost(\"/account/auth/register\", username=\"alice\" + suffix, password=PASSWORD,\n password_verify=PASSWORD, email=email).raise_for_status()\n\nfor candidate in [email, \"missing\" + suffix + \"@example.test\"]:\n r = post(\"/account/auth/resend_verification_email\", email=candidate)\n print(candidate, \"HTTP\", r.status_code, r.text[:300])\n\n```\n\nOutput:\n\n```text\nalicepoceudtpf@example.test HTTP 200 {\"success\":true}\nmissingpoceudtpf@example.test HTTP 404 {\"error\":\"not_found\",\"cause\":\"Record not found\"}\n```\n\n## Impact\n\nA malicious third party can enumerate registered email addresses without authentication. The endpoint uses the registration rate limit bucket, not an endpoint-specific anti-enumeration limit, so the attacker can automate probes across candidate address lists. The response also distinguishes missing accounts from banned or deleted accounts because `check_local_user_valid()` returns separate error types.\n\n## Recommended Fix\n\nUse the password-reset pattern for resend verification. Move the lookup and email-send work into a helper, ignore helper errors in the handler, and always return `{\"success\": true}` for syntactically valid input.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
"id": "GHSA-qxrw-f6fh-34r7",
"modified": "2026-05-06T23:49:18Z",
"published": "2026-05-06T23:49:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-qxrw-f6fh-34r7"
},
{
"type": "WEB",
"url": "https://github.com/LemmyNet/lemmy/commit/4afff1699d08920b9a9023e81b229d772b894d91"
},
{
"type": "PACKAGE",
"url": "https://github.com/LemmyNet/lemmy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Lemmy resend-verification endpoint exposes registered email addresses to unauthenticated users"
}
GHSA-R6J6-XP6Q-C876
Vulnerability from github – Published: 2022-02-22 00:00 – Updated: 2025-04-25 18:31A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authenticated requests to an affected system. A successful exploit could allow the attacker to compare the response time that are returned by the affected system to determine which accounts are valid user accounts. Affected systems are only vulnerable if they have LDAP configured.
{
"affected": [],
"aliases": [
"CVE-2022-0564"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-21T18:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authenticated requests to an affected system. A successful exploit could allow the attacker to compare the response time that are returned by the affected system to determine which accounts are valid user accounts. Affected systems are only vulnerable if they have LDAP configured.",
"id": "GHSA-r6j6-xp6q-c876",
"modified": "2025-04-25T18:31:01Z",
"published": "2022-02-22T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0564"
},
{
"type": "WEB",
"url": "https://community.qlik.com/t5/Release-Notes/Qlik-Sense-Enterprise-on-Windows-November-2021-Initial-Release/ta-p/1856531"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/CVE-2022-0564"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/DIVD-2021-00021"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/cases/DIVD-2021-00021"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/cves/CVE-2022-0564"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R78M-94WM-V7CV
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:29Under certain circumstances a C•CURE Portal user could enumerate user accounts in C•CURE 9000 version 2.90 and prior versions. This issue affects: C•CURE 9000 2.90 and earlier version 2.90 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2021-36201"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-11T21:15:00Z",
"severity": "MODERATE"
},
"details": "Under certain circumstances a C\u2022CURE Portal user could enumerate user accounts in C\u2022CURE 9000 version 2.90 and prior versions. This issue affects: C\u2022CURE 9000 2.90 and earlier version 2.90 and prior versions.",
"id": "GHSA-r78m-94wm-v7cv",
"modified": "2024-04-04T05:29:18Z",
"published": "2023-07-06T19:24:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36201"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-03"
},
{
"type": "WEB",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R9GF-V8WF-J3WQ
Vulnerability from github – Published: 2024-09-26 18:31 – Updated: 2024-09-26 18:31The goTenna Pro ATAK Plugin has a payload length vulnerability that makes it possible to tell the length of the payload regardless of the encryption used.
{
"affected": [],
"aliases": [
"CVE-2024-41715"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-26T18:15:05Z",
"severity": "MODERATE"
},
"details": "The goTenna Pro ATAK Plugin has a payload length vulnerability that \nmakes it possible to tell the length of the payload regardless of the \nencryption used.",
"id": "GHSA-r9gf-v8wf-j3wq",
"modified": "2024-09-26T18:31:45Z",
"published": "2024-09-26T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41715"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R9X2-MG2V-MQ96
Vulnerability from github – Published: 2026-05-11 12:32 – Updated: 2026-05-11 12:32The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.
The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.
{
"affected": [],
"aliases": [
"CVE-2024-0391"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-11T10:16:11Z",
"severity": "MODERATE"
},
"details": "The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.\n\nThe discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization\u0027s reputation and leading to regulatory non-compliance and financial consequences.",
"id": "GHSA-r9x2-mg2v-mq96",
"modified": "2026-05-11T12:32:31Z",
"published": "2026-05-11T12:32:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0391"
},
{
"type": "WEB",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RP4X-67W5-6R6H
Vulnerability from github – Published: 2025-12-09 21:31 – Updated: 2025-12-09 21:31IntelliChoice eFORCE Software Suite 2.5.9 contains a username enumeration vulnerability that allows attackers to enumerate valid users by exploiting the 'ctl00$MainContent$UserName' POST parameter. Attackers can send requests with valid usernames to retrieve user information.
{
"affected": [],
"aliases": [
"CVE-2021-47717"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T21:15:50Z",
"severity": "MODERATE"
},
"details": "IntelliChoice eFORCE Software Suite 2.5.9 contains a username enumeration vulnerability that allows attackers to enumerate valid users by exploiting the \u0027ctl00$MainContent$UserName\u0027 POST parameter. Attackers can send requests with valid usernames to retrieve user information.",
"id": "GHSA-rp4x-67w5-6r6h",
"modified": "2025-12-09T21:31:48Z",
"published": "2025-12-09T21:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47717"
},
{
"type": "WEB",
"url": "https://www.eforcesoftware.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50164"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/intellichoice-eforce-software-suite-username-enumeration"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5658.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RRQC-C2JX-6JGV
Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-30 19:02An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "5.1"
},
{
"fixed": "5.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "5.0"
},
{
"fixed": "5.0.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45231"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-08T21:17:00Z",
"nvd_published_at": "2024-10-08T16:15:11Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).",
"id": "GHSA-rrqc-c2jx-6jgv",
"modified": "2024-10-30T19:02:43Z",
"published": "2024-10-08T18:33:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45231"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/3c733c78d6f8e50296d6e248968b6516c92a53ca"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/96d84047715ea1715b4bd1594e46122b8a77b9e2"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/bf4888d317ba4506d091eeac6e8b4f1fcc731199"
},
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/dev/releases/security"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2024/sep/03/security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Django allows enumeration of user e-mail addresses"
}
GHSA-V4W4-RM3V-Q5G6
Vulnerability from github – Published: 2025-08-06 12:31 – Updated: 2025-08-06 12:31{
"affected": [],
"aliases": [
"CVE-2025-46390"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-06T11:15:28Z",
"severity": "HIGH"
},
"details": "CWE-204: Observable Response Discrepancy",
"id": "GHSA-v4w4-rm3v-q5g6",
"modified": "2025-08-06T12:31:20Z",
"published": "2025-08-06T12:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46390"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V5P4-QXG5-3JH2
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts.
{
"affected": [],
"aliases": [
"CVE-2021-34580"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-27T11:15:00Z",
"severity": "HIGH"
},
"details": "In mymbCONNECT24, mbCONNECT24 \u003c= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts.",
"id": "GHSA-v5p4-qxg5-3jh2",
"modified": "2022-05-24T19:18:58Z",
"published": "2022-05-24T19:18:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34580"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2021-037"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-331: ICMP IP Total Length Field Probe
An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.
CAPEC-332: ICMP IP 'ID' Field Error Message Probe
An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.
CAPEC-541: Application Fingerprinting
An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.
CAPEC-580: System Footprinting
An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.