Common Weakness Enumeration

CWE-208

Allowed

Observable Timing Discrepancy

Abstraction: Base · Status: Incomplete

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

306 vulnerabilities reference this CWE, most recent first.

GHSA-W322-W9FV-RX3M

Vulnerability from github – Published: 2024-04-04 15:30 – Updated: 2024-04-04 15:30
VLAI
Details

A timing-based side-channel exists in the rust-openssl package, which could be sufficient to recover a plaintext across a network in a Bleichenbacher-style attack. To achieve successful decryption, an attacker would have to be able to send a large number of trial messages for decryption. The vulnerability affects the legacy PKCS#1v1.5 RSA encryption padding mode.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-04T14:15:11Z",
    "severity": "MODERATE"
  },
  "details": "A timing-based side-channel exists in the rust-openssl package, which could be sufficient to recover a plaintext across a network in a Bleichenbacher-style attack. To achieve successful decryption, an attacker would have to be able to send a large number of trial messages for decryption. The vulnerability affects the legacy PKCS#1v1.5 RSA encryption padding mode.",
  "id": "GHSA-w322-w9fv-rx3m",
  "modified": "2024-04-04T15:30:34Z",
  "published": "2024-04-04T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3296"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-3296"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269723"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W4CX-V96X-C4G8

Vulnerability from github – Published: 2023-01-07 12:30 – Updated: 2023-01-12 18:30
VLAI
Details

A vulnerability was found in Pylons horus and classified as problematic. Affected by this issue is some unknown functionality of the file horus/flows/local/services.py. The manipulation leads to observable timing discrepancy. The name of the patch is fd56ccb62ce3cbdab0484fe4f9c25c4eda6c57ec. It is recommended to apply a patch to fix this issue. VDB-217598 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-125056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-07T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Pylons horus and classified as problematic. Affected by this issue is some unknown functionality of the file horus/flows/local/services.py. The manipulation leads to observable timing discrepancy. The name of the patch is fd56ccb62ce3cbdab0484fe4f9c25c4eda6c57ec. It is recommended to apply a patch to fix this issue. VDB-217598 is the identifier assigned to this vulnerability.",
  "id": "GHSA-w4cx-v96x-c4g8",
  "modified": "2023-01-12T18:30:28Z",
  "published": "2023-01-07T12:30:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-125056"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Pylons/horus/commit/fd56ccb62ce3cbdab0484fe4f9c25c4eda6c57ec"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217598"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217598"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W6M9-39CV-2FWP

Vulnerability from github – Published: 2026-04-13 19:31 – Updated: 2026-04-24 20:37
VLAI
Summary
Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel
Details

Summary

A timing side-channel in the login endpoint allows unauthenticated attackers to determine whether a username exists by measuring response time differences. Requests for valid usernames take noticeably longer because the server performs bcrypt password verification, while requests for nonexistent usernames return much faster. This enables reliable remote username enumeration and increases the risk of targeted credential attacks.

Details

The issue affects the login endpoint:

  • POST /api/auth/token

The root cause is that authentication processing takes different code paths depending on whether the supplied username exists. When the username is found, the server performs bcrypt.CompareHashAndPassword, which adds substantial latency. When the username does not exist, the server returns immediately without performing an equivalent bcrypt operation.

Vulnerable flow:

user, err := db.Where("username = ?", username).First(&user)
if err != nil {
    return ErrUnauthorized
}
err = bcrypt.CompareHashAndPassword(user.PasswordHash, []byte(password))

This creates a measurable timing discrepancy between: - existing username + wrong password requests, which incur bcrypt cost - nonexistent username + any password requests, which avoid bcrypt entirely

Because no constant-time equalization is performed, the endpoint leaks account existence through timing behavior.

The measurements provided show a large and consistent gap between the two cases across repeated trials, making the difference distinguishable without requiring especially high request volume. In the supplied test results: - existing user requests averaged about 0.0616s - nonexistent user requests averaged about 0.0027s

That gap is large enough to support reliable username enumeration under typical testing conditions.

PoC

The issue can be reproduced by sending repeated authentication attempts to the login endpoint using the same invalid password while alternating between a known valid username and a nonexistent username, then comparing average response times. Valid usernames consistently take longer because bcrypt verification is performed.

Impact

  • Type: Timing side-channel / username enumeration
  • Who is impacted: Any deployment exposing the affected login endpoint
  • Security impact: Unauthenticated attackers can confirm valid usernames one at a time, improving the effectiveness of credential stuffing, password spraying, phishing, and other targeted account attacks
  • Attack preconditions: None beyond network access to the login endpoint
  • Confidentiality impact: Low to moderate, depending on the sensitivity of account existence in the target environment
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/enchant97/note-mark/backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.19.2-0.20260411145025-cf4c6f6acf70"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-13T19:31:50Z",
    "nvd_published_at": "2026-04-17T01:17:40Z",
    "severity": "LOW"
  },
  "details": "### Summary\nA timing side-channel in the login endpoint allows unauthenticated attackers to determine whether a username exists by measuring response time differences. Requests for valid usernames take noticeably longer because the server performs bcrypt password verification, while requests for nonexistent usernames return much faster. This enables reliable remote username enumeration and increases the risk of targeted credential attacks.\n\n### Details\nThe issue affects the login endpoint:\n\n- `POST /api/auth/token`\n\nThe root cause is that authentication processing takes different code paths depending on whether the supplied username exists. When the username is found, the server performs `bcrypt.CompareHashAndPassword`, which adds substantial latency. When the username does not exist, the server returns immediately without performing an equivalent bcrypt operation.\n\nVulnerable flow:\n\n```go\nuser, err := db.Where(\"username = ?\", username).First(\u0026user)\nif err != nil {\n    return ErrUnauthorized\n}\nerr = bcrypt.CompareHashAndPassword(user.PasswordHash, []byte(password))\n```\n\nThis creates a measurable timing discrepancy between:\n- **existing username + wrong password** requests, which incur bcrypt cost\n- **nonexistent username + any password** requests, which avoid bcrypt entirely\n\nBecause no constant-time equalization is performed, the endpoint leaks account existence through timing behavior.\n\nThe measurements provided show a large and consistent gap between the two cases across repeated trials, making the difference distinguishable without requiring especially high request volume. In the supplied test results:\n- existing user requests averaged about `0.0616s`\n- nonexistent user requests averaged about `0.0027s`\n\nThat gap is large enough to support reliable username enumeration under typical testing conditions.\n\n### PoC\nThe issue can be reproduced by sending repeated authentication attempts to the login endpoint using the same invalid password while alternating between a known valid username and a nonexistent username, then comparing average response times. Valid usernames consistently take longer because bcrypt verification is performed.\n\n### Impact\n- **Type:** Timing side-channel / username enumeration\n- **Who is impacted:** Any deployment exposing the affected login endpoint\n- **Security impact:** Unauthenticated attackers can confirm valid usernames one at a time, improving the effectiveness of credential stuffing, password spraying, phishing, and other targeted account attacks\n- **Attack preconditions:** None beyond network access to the login endpoint\n- **Confidentiality impact:** Low to moderate, depending on the sensitivity of account existence in the target environment",
  "id": "GHSA-w6m9-39cv-2fwp",
  "modified": "2026-04-24T20:37:10Z",
  "published": "2026-04-13T19:31:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-w6m9-39cv-2fwp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40263"
    },
    {
      "type": "WEB",
      "url": "https://github.com/enchant97/note-mark/commit/cf4c6f6acf70b569d80396d323b067c00d45c034"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/enchant97/note-mark"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel"
}

GHSA-W782-GJG9-CJX6

Vulnerability from github – Published: 2024-08-30 00:31 – Updated: 2024-08-30 00:31
VLAI
Details

The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5 protects against a side-channel attacker with cache-line resolution. In a controlled environment such as Intel SGX, an attacker can gain a per instruction sub-cache-line resolution allowing them to break the cache-line-level protection. For details on the attack refer to: https://doi.org/10.46586/tches.v2024.i1.457-500

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-29T23:15:10Z",
    "severity": "MODERATE"
  },
  "details": "The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5 protects against a side-channel attacker with cache-line resolution. In a controlled environment such as Intel SGX, an attacker can gain a per instruction sub-cache-line resolution allowing them to break the cache-line-level protection. For details on the attack refer to:  https://doi.org/10.46586/tches.v2024.i1.457-500",
  "id": "GHSA-w782-gjg9-cjx6",
  "modified": "2024-08-30T00:31:23Z",
  "published": "2024-08-30T00:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1543"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-566-dec-19-2023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W799-PRG3-CX77

Vulnerability from github – Published: 2022-05-17 03:02 – Updated: 2024-10-16 20:42
VLAI
Summary
python-jose failure to use a constant time comparison for HMAC keys
Details

python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "python-jose"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-7036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-31T21:03:29Z",
    "nvd_published_at": "2017-01-23T21:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys.",
  "id": "GHSA-w799-prg3-cx77",
  "modified": "2024-10-16T20:42:13Z",
  "published": "2022-05-17T03:02:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7036"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mpdavis/python-jose/pull/35/commits/89b46353b9f611e9da38de3d2fedf52331167b93"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mpdavis/python-jose/commit/73007d6887a7517ac07c6e755e494baee49ef513"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mpdavis/python-jose"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mpdavis/python-jose/releases/tag/1.3.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/python-jose/PYSEC-2017-28.yaml"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20210123221523/http://www.securityfocus.com/bid/95845"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "python-jose failure to use a constant time comparison for HMAC keys"
}

GHSA-W7JR-WQW6-54XC

Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2022-12-19 21:06
VLAI
Summary
Non-constant time comparison of inbound TCP agent connection secret
Details

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison validating the connection secret when an inbound TCP agent connection is initiated. This could potentially allow attackers to use statistical methods to obtain the connection secret.

Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison function for verifying connection secrets.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.204.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.204.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.218"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.205"
            },
            {
              "fixed": "2.219"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2101"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-19T21:06:40Z",
    "nvd_published_at": "2020-01-29T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison validating the connection secret when an inbound TCP agent connection is initiated. This could potentially allow attackers to use statistical methods to obtain the connection secret.\n\nJenkins 2.219, LTS 2.204.2 now uses a constant-time comparison function for verifying connection secrets.",
  "id": "GHSA-w7jr-wqw6-54xc",
  "modified": "2022-12-19T21:06:40Z",
  "published": "2022-05-24T17:07:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2101"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/0ba36508187ff771bba87feaf03057496775064c"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2020:0402"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2020:0675"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0681"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0683"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jenkins"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1659"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/01/29/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Non-constant time comparison of inbound TCP agent connection secret"
}

GHSA-WJ6H-64FC-37MP

Vulnerability from github – Published: 2024-01-22 21:35 – Updated: 2025-07-30 18:17
VLAI
Summary
Minerva timing attack on P-256 in python-ecdsa
Details

python-ecdsa has been found to be subject to a Minerva timing attack on the P-256 curve. Using the ecdsa.SigningKey.sign_digest() API function and timing signatures an attacker can leak the internal nonce which may allow for private key discovery. Both ECDSA signatures, key generation, and ECDH operations are affected. ECDSA signature verification is unaffected. The python-ecdsa project considers side channel attacks out of scope for the project and there is no planned fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ecdsa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-23342"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208",
      "CWE-385"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-22T21:35:27Z",
    "nvd_published_at": "2024-01-23T00:15:26Z",
    "severity": "HIGH"
  },
  "details": "python-ecdsa has been found to be subject to a Minerva timing attack on the P-256 curve. Using the `ecdsa.SigningKey.sign_digest()` API function and timing signatures an attacker can leak the internal nonce which may allow for private key discovery. Both ECDSA signatures, key generation, and ECDH operations are affected. ECDSA signature verification is unaffected. The python-ecdsa project considers side channel attacks out of scope for the project and there is no planned fix.",
  "id": "GHSA-wj6h-64fc-37mp",
  "modified": "2025-07-30T18:17:40Z",
  "published": "2024-01-22T21:35:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23342"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tlsfuzzer/python-ecdsa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md"
    },
    {
      "type": "WEB",
      "url": "https://minerva.crocs.fi.muni.cz"
    },
    {
      "type": "WEB",
      "url": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Minerva timing attack on P-256 in python-ecdsa"
}

GHSA-WQQ3-WFMP-V85G

Vulnerability from github – Published: 2026-04-16 21:10 – Updated: 2026-04-27 16:08
VLAI
Summary
Mojic: Observable Timing Discrepancy in HMAC Verification
Details

Summary

The CipherEngine in Mojic v2.1.3 uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack.

Details

In lib/CipherEngine.js, the footer check validates the HMAC signature using a standard string comparison: if (footerHex !== calcDigest) { ... }

Standard string comparisons in JavaScript short-circuit; they return false the moment a character mismatch occurs. Because the time taken to evaluate the comparison is proportional to the number of matching leading bytes, an attacker can measure the exact microseconds it takes for the engine to throw the FILE_TAMPERED error. By repeatedly altering the signature byte-by-byte and analyzing these minute timing differences, a malicious actor can theoretically forge a valid HMAC signature without possessing the decryption password.

PoC

The vulnerable implementation is located in lib/CipherEngine.js, within the getDecryptStream() flush method (approximately line 265):

// Vulnerable Code
if (footerHex !== calcDigest) {
    this.emit('error', new Error("FILE_TAMPERED"));
    return;
}

Recommended Remediation:

Replace the standard equality operator with Node.js's built-in constant-time comparison utility, crypto.timingSafeEqual().

// Remediated Code
const footerBuffer = Buffer.from(footerHex, 'hex');
const calcBuffer = Buffer.from(calcDigest, 'hex');

if (footerBuffer.length !== calcBuffer.length || !crypto.timingSafeEqual(footerBuffer, calcBuffer)) {
    this.emit('error', new Error("FILE_TAMPERED"));
    return;
}

Impact

If successfully exploited, an attacker could tamper with the encrypted .mojic payload and forge a valid HMAC signature. This bypasses the integrity seal, tricking the decryption engine into processing maliciously injected emoji streams. Because the engine translates these emojis back into C keywords and raw data chunks, this could ultimately result in arbitrary Code Injection into the restored .c source code when an unsuspecting user decrypts the tampered file.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "mojic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41244"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:10:17Z",
    "nvd_published_at": "2026-04-24T20:16:26Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe `CipherEngine` in Mojic v2.1.3 uses a standard equality operator (`!==`) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack.\n\n### Details\nIn `lib/CipherEngine.js`, the footer check validates the HMAC signature using a standard string comparison:\n`if (footerHex !== calcDigest) { ... }`\n\nStandard string comparisons in JavaScript short-circuit; they return `false` the moment a character mismatch occurs. Because the time taken to evaluate the comparison is proportional to the number of matching leading bytes, an attacker can measure the exact microseconds it takes for the engine to throw the `FILE_TAMPERED` error. By repeatedly altering the signature byte-by-byte and analyzing these minute timing differences, a malicious actor can theoretically forge a valid HMAC signature without possessing the decryption password.\n\n### PoC\nThe vulnerable implementation is located in `lib/CipherEngine.js`, within the `getDecryptStream()` flush method (approximately line 265):\n\n```javascript\n// Vulnerable Code\nif (footerHex !== calcDigest) {\n    this.emit(\u0027error\u0027, new Error(\"FILE_TAMPERED\"));\n    return;\n}\n```\n\n### Recommended Remediation:\nReplace the standard equality operator with Node.js\u0027s built-in constant-time comparison utility, crypto.timingSafeEqual().\n\n```JavaScript\n// Remediated Code\nconst footerBuffer = Buffer.from(footerHex, \u0027hex\u0027);\nconst calcBuffer = Buffer.from(calcDigest, \u0027hex\u0027);\n\nif (footerBuffer.length !== calcBuffer.length || !crypto.timingSafeEqual(footerBuffer, calcBuffer)) {\n    this.emit(\u0027error\u0027, new Error(\"FILE_TAMPERED\"));\n    return;\n}\n```\n\n### Impact\nIf successfully exploited, an attacker could tamper with the encrypted .mojic payload and forge a valid HMAC signature. This bypasses the integrity seal, tricking the decryption engine into processing maliciously injected emoji streams. Because the engine translates these emojis back into C keywords and raw data chunks, this could ultimately result in arbitrary Code Injection into the restored .c source code when an unsuspecting user decrypts the tampered file.",
  "id": "GHSA-wqq3-wfmp-v85g",
  "modified": "2026-04-27T16:08:33Z",
  "published": "2026-04-16T21:10:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41244"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/notamitgamer/mojic"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mojic: Observable Timing Discrepancy in HMAC Verification"
}

GHSA-X2V7-W9J6-RQMX

Vulnerability from github – Published: 2025-03-28 03:30 – Updated: 2025-04-11 18:30
VLAI
Details

String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string.

As stated in the documentation: "If the lengths of the strings are different, because equals returns false right away the size of the secret string may be leaked (but not its contents)."

This is similar to CVE-2020-36829

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13939"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-28T03:15:15Z",
    "severity": "HIGH"
  },
  "details": "String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string.\n\nAs stated in the documentation: \"If the lengths of the strings are different, because equals returns false right away the size of the secret string may be leaked (but not its contents).\"\n\nThis is similar to\u00a0CVE-2020-36829",
  "id": "GHSA-x2v7-w9j6-rqmx",
  "modified": "2025-04-11T18:30:40Z",
  "published": "2025-03-28T03:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13939"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/FRACTAL/String-Compare-ConstantTime-0.321/view/lib/String/Compare/ConstantTime.pm#TIMING-SIDE-CHANNEL"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X7P4-V8MJ-6FXX

Vulnerability from github – Published: 2025-08-21 18:31 – Updated: 2025-08-22 16:51
VLAI
Summary
Liferay Portal Username Enumeration Vulnerability
Details

Username enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows attackers to determine if an account exist in the application by inspecting the server processing time of the login request.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.portal.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.4.0-ga1"
            },
            {
              "last_affected": "7.4.3.132-ga132"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-43754"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-22T16:51:24Z",
    "nvd_published_at": "2025-08-21T18:15:33Z",
    "severity": "MODERATE"
  },
  "details": "Username enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows attackers to determine if an account exist in the application by inspecting the server processing time of the login request.",
  "id": "GHSA-x7p4-v8mj-6fxx",
  "modified": "2025-08-22T16:51:24Z",
  "published": "2025-08-21T18:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43754"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/f25bb9583f059f86937649fdacf940928ca3767b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/c8041d0f527388305897ac79f98d012bb31b82ac"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/9ce8b8dec237f9b9049760904fcefd06a8695832"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/9b4be82e964e9bbab1ce9824a61d9f40b28f38bb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/862ca74aaf98c70823022b6556cdc8a339128f79"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/7118e956516d48792fb9365d1ae1f0ee971a8ac3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/6fdbb052a6e0cbe8b300138fb75f88df69f58799"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/6f6f9f0922f6a13e21236915b864e0c1c12e47a9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/6629bb176c1f58ca852d599c013bd3e97b3312d3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/5b1bf48b0dc2a062928237ab1ea4a2274c63e652"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/556450752159503476635c44736721ad797fa431"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/53e6dcaa31a7599df8de9d3cef92e59e95a2064e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/45c3ca76966ddfaf8fe650f28910b0f55536f2b4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/38c0a06cebf0d635aa2af9912c068217161fcf1e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/367dc7d19aa31eaf881f217ceff9610f1747e2d7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/33697cf599a2c573ef9571696af55476ecc2ada6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/18a88af5409a5085cb094f5bc55229d5e03a9f29"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/06b603671f0e76cd50f56d803a310a3c79944d1d"
    },
    {
      "type": "WEB",
      "url": "https://liferay.atlassian.net/browse/LPE-18149"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43754"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "http://github.com/liferay/liferay-portal/commit/8199c568a66d66d6ad7ac450d3c69f6e0e9bd181"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Liferay Portal Username Enumeration Vulnerability"
}

No mitigation information available for this CWE.

CAPEC-462: Cross-Domain Search Timing

An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.

CAPEC-541: Application Fingerprinting

An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.

CAPEC-580: System Footprinting

An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.