CWE-204
AllowedObservable Response Discrepancy
Abstraction: Base · Status: Incomplete
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
297 vulnerabilities reference this CWE, most recent first.
GHSA-WMWF-49VV-P3MR
Vulnerability from github – Published: 2023-08-03 19:44 – Updated: 2023-08-04 13:31Impact
It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist.
Impacted by this issue are Sulu installation >= 2.5.0 and <2.5.10 using the newer Symfony Security System which is default since Symfony 6.0 but can be enabled in Symfony 5.4. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue.
Patches
The problem has been patched in version 2.5.10.
Workarounds
Create a custom AuthenticationFailureHandler which does not return the $exception->getMessage(); instead the $exception->getMessageKey();
References
Currently no references.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "sulu/sulu"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-39343"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-03T19:44:28Z",
"nvd_published_at": "2023-08-04T01:15:10Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nIt allows over the Admin Login form to detect which user (username, email) exists and which one do not exist.\n\nImpacted by this issue are Sulu installation \u003e= 2.5.0 and \u003c2.5.10 using the newer Symfony Security System which is default since Symfony 6.0 but can be enabled in Symfony 5.4. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue.\n\n### Patches\n\nThe problem has been patched in version 2.5.10. \n\n### Workarounds\n\nCreate a custom AuthenticationFailureHandler which does not return the `$exception-\u003egetMessage();` instead the `$exception-\u003egetMessageKey();`\n\n### References\n\nCurrently no references.\n",
"id": "GHSA-wmwf-49vv-p3mr",
"modified": "2023-08-04T13:31:19Z",
"published": "2023-08-03T19:44:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39343"
},
{
"type": "WEB",
"url": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/sulu/sulu/CVE-2023-39343.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sulu/sulu"
},
{
"type": "WEB",
"url": "https://github.com/sulu/sulu/releases/tag/2.5.10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sulu Observable Response Discrepancy on Admin Login"
}
GHSA-WQ63-C6FV-J4J6
Vulnerability from github – Published: 2024-09-26 18:31 – Updated: 2024-10-04 18:31The goTenna Pro has a payload length vulnerability that makes it possible to tell the length of the payload regardless of the encryption used.
{
"affected": [],
"aliases": [
"CVE-2024-47129"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-26T18:15:09Z",
"severity": "MODERATE"
},
"details": "The goTenna Pro has a payload length vulnerability that makes it possible to tell the length of the payload regardless of the encryption used.",
"id": "GHSA-wq63-c6fv-j4j6",
"modified": "2024-10-04T18:31:09Z",
"published": "2024-09-26T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47129"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X6WP-VGMQ-CC83
Vulnerability from github – Published: 2024-03-15 09:30 – Updated: 2024-03-15 09:30A vulnerability has been found in Surya2Developer Hostel Management Service 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /check_availability.php of the component HTTP POST Request Handler. The manipulation of the argument oldpassword leads to observable response discrepancy. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256891.
{
"affected": [],
"aliases": [
"CVE-2024-2482"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-15T07:15:10Z",
"severity": "LOW"
},
"details": "A vulnerability has been found in Surya2Developer Hostel Management Service 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /check_availability.php of the component HTTP POST Request Handler. The manipulation of the argument oldpassword leads to observable response discrepancy. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256891.",
"id": "GHSA-x6wp-vgmq-cc83",
"modified": "2024-03-15T09:30:37Z",
"published": "2024-03-15T09:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2482"
},
{
"type": "WEB",
"url": "https://github.com/blackslim3/cve_sidequest/blob/main/poc/Username_and_Password_Enumeration%20on%20Hostel%20Management%20System%20using%20PHP%20and%20MySQL%201.0.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.256891"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.256891"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X739-3P6G-JXHJ
Vulnerability from github – Published: 2025-04-30 12:31 – Updated: 2025-04-30 12:31A vulnerability in the login functionality of the web application of ctrlX OS allows a remote unauthenticated attacker to guess valid usernames via multiple crafted HTTP requests.
{
"affected": [],
"aliases": [
"CVE-2025-24342"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-30T12:15:17Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the login functionality of the web application of ctrlX OS allows a remote unauthenticated attacker to guess valid usernames via multiple crafted HTTP requests.",
"id": "GHSA-x739-3p6g-jxhj",
"modified": "2025-04-30T12:31:24Z",
"published": "2025-04-30T12:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24342"
},
{
"type": "WEB",
"url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X854-VVHC-P3C8
Vulnerability from github – Published: 2025-06-11 15:30 – Updated: 2025-06-11 15:30IBM Security Verify Access Appliance and Docker 10.0 through 10.0.8 could allow a remote attacker to enumerate usernames due to an observable response discrepancy of disabled accounts.
{
"affected": [],
"aliases": [
"CVE-2025-0163"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-11T15:15:29Z",
"severity": "MODERATE"
},
"details": "IBM Security Verify Access Appliance and Docker 10.0 through 10.0.8 could allow a remote attacker to enumerate usernames due to an observable response discrepancy of disabled accounts.",
"id": "GHSA-x854-vvhc-p3c8",
"modified": "2025-06-11T15:30:29Z",
"published": "2025-06-11T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0163"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7236314"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XW86-Q236-P57V
Vulnerability from github – Published: 2025-05-13 12:31 – Updated: 2025-05-13 12:31A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.2). The login implementation of the affected application contains an observable response discrepancy vulnerability when validating usernames. This could allow an unauthenticated remote attacker to distinguish between valid and invalid usernames.
{
"affected": [],
"aliases": [
"CVE-2024-51447"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T10:15:21Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions \u003c V2404.2). The login implementation of the affected application contains an observable response discrepancy vulnerability when validating usernames. This could allow an unauthenticated remote attacker to distinguish between valid and invalid usernames.",
"id": "GHSA-xw86-q236-p57v",
"modified": "2025-05-13T12:31:35Z",
"published": "2025-05-13T12:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51447"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-162255.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XXW2-9C45-R2HR
Vulnerability from github – Published: 2026-03-13 21:31 – Updated: 2026-03-18 15:30Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows unauthenticated users to enumerate existing hosts by observing different HTTP response codes in deploy_agent endpoint, which could lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2026-2859"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-13T19:54:34Z",
"severity": "MODERATE"
},
"details": "Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows unauthenticated users to enumerate existing hosts by observing different HTTP response codes in deploy_agent endpoint, which could lead to information disclosure.",
"id": "GHSA-xxw2-9c45-r2hr",
"modified": "2026-03-18T15:30:42Z",
"published": "2026-03-13T21:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2859"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/18994"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-331: ICMP IP Total Length Field Probe
An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.
CAPEC-332: ICMP IP 'ID' Field Error Message Probe
An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.
CAPEC-541: Application Fingerprinting
An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.
CAPEC-580: System Footprinting
An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.