Common Weakness Enumeration

CWE-203

Allowed

Observable Discrepancy

Abstraction: Base · Status: Incomplete

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

835 vulnerabilities reference this CWE, most recent first.

GHSA-FMMW-R3G8-J32W

Vulnerability from github – Published: 2025-01-07 00:31 – Updated: 2025-04-02 15:31
VLAI
Details

An access control issue in the component /juis_boxinfo.xml of AVM FRITZ!Box 7530 AX v7.59 allows attackers to obtain sensitive information without authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54767"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-06T23:15:07Z",
    "severity": "HIGH"
  },
  "details": "An access control issue in the component /juis_boxinfo.xml of AVM FRITZ!Box 7530 AX v7.59 allows attackers to obtain sensitive information without authentication.",
  "id": "GHSA-fmmw-r3g8-j32w",
  "modified": "2025-04-02T15:31:10Z",
  "published": "2025-01-07T00:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54767"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Shuanunio/CVE_Requests/issues/1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Shuanunio/CVE_Requests/blob/main/AVM/fritz/AVM_FRITZ%21Box_7530%20AX_unauthorized_access_vulnerability_first.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FPG5-7W95-PCWJ

Vulnerability from github – Published: 2024-10-04 15:31 – Updated: 2024-10-04 15:31
VLAI
Details

A vulnerability was found in Netadmin Software NetAdmin IAM up to 3.5 and classified as problematic. Affected by this issue is some unknown functionality of the file /controller/api/Answer/ReturnUserQuestionsFilled of the component HTTP POST Request Handler. The manipulation of the argument username leads to information exposure through discrepancy. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-04T13:15:13Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Netadmin Software NetAdmin IAM up to 3.5 and classified as problematic. Affected by this issue is some unknown functionality of the file /controller/api/Answer/ReturnUserQuestionsFilled of the component HTTP POST Request Handler. The manipulation of the argument username leads to information exposure through discrepancy. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-fpg5-7w95-pcwj",
  "modified": "2024-10-04T15:31:22Z",
  "published": "2024-10-04T15:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9513"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.279212"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.279212"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.413498"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FPGH-HVP5-CQC2

Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2022-12-26 03:30
VLAI
Details

The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 and Mbed TLS through 2.19.1 does not reduce the blinded scalar before computing the inverse, which allows a local attacker to recover the private key via side-channel attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-18222"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-23T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 and Mbed TLS through 2.19.1 does not reduce the blinded scalar before computing the inverse, which allows a local attacker to recover the private key via side-channel attacks.",
  "id": "GHSA-fpgh-hvp5-cqc2",
  "modified": "2022-12-26T03:30:21Z",
  "published": "2022-05-24T17:07:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18222"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A3GWQNONS7GRORXZJ7MOJFUEJ2ZJ4OUW"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NGDACU65MYZXXVPQP2EBHUJGOR4RWLVY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A3GWQNONS7GRORXZJ7MOJFUEJ2ZJ4OUW"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NGDACU65MYZXXVPQP2EBHUJGOR4RWLVY"
    },
    {
      "type": "WEB",
      "url": "https://tls.mbed.org/tech-updates/security-advisories"
    },
    {
      "type": "WEB",
      "url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FPJ7-9XM6-8HGR

Vulnerability from github – Published: 2022-01-21 23:38 – Updated: 2023-05-24 14:00
VLAI
Summary
Observable Discrepancy and Observable Timing Discrepancy in Jenkins Configuration as Code Plugin
Details

Jenkins Configuration as Code Plugin prior to 1.55.1, 1.54.1, 1.53.1, and 1.47.1 does not use a constant-time comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain a valid authentication token.

Configuration as Code Plugin 1.55.1, 1.54.1, 1.53.1, and 1.47.1 now uses a constant-time comparison when validating authentication tokens.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins:configuration-as-code"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.55"
            },
            {
              "fixed": "1.55.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.55"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins:configuration-as-code"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.54"
            },
            {
              "fixed": "1.54.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.54"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins:configuration-as-code"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.48"
            },
            {
              "fixed": "1.53.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins:configuration-as-code"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.47.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-20T14:42:40Z",
    "nvd_published_at": "2022-01-12T20:15:00Z",
    "severity": "LOW"
  },
  "details": "Jenkins Configuration as Code Plugin prior to 1.55.1, 1.54.1, 1.53.1, and 1.47.1 does not use a constant-time comparison when checking whether two authentication tokens are equal.\n\nThis could potentially allow attackers to use statistical methods to obtain a valid authentication token.\n\nConfiguration as Code Plugin 1.55.1, 1.54.1, 1.53.1, and 1.47.1 now uses a constant-time comparison when validating authentication tokens.",
  "id": "GHSA-fpj7-9xm6-8hgr",
  "modified": "2023-05-24T14:00:21Z",
  "published": "2022-01-21T23:38:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23106"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/configuration-as-code-plugin/commit/4f425675edf77d382a6fd10890f1a704ff3b2277"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CVEProject/cvelist/blob/00bfb5abeecc9f553a2f42954ee540e493498ee9/2022/23xxx/CVE-2022-23106.json"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/configuration-as-code-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2141"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Observable Discrepancy and Observable Timing Discrepancy in Jenkins Configuration as Code Plugin"
}

GHSA-FQ62-4J88-QQ7X

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22
VLAI
Details

NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-12399"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-09T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird \u003c 68.9.0, Firefox \u003c 77, and Firefox ESR \u003c 68.9.",
  "id": "GHSA-fq62-4j88-qq7x",
  "modified": "2022-05-24T17:22:37Z",
  "published": "2022-05-24T17:22:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12399"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1631576"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202007-49"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4421-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4726"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2020-20"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2020-21"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2020-22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FR28-FGMM-PF3X

Vulnerability from github – Published: 2022-08-13 00:00 – Updated: 2022-08-16 00:00
VLAI
Details

In AppOpsService, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-203430648

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-12T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In AppOpsService, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-203430648",
  "id": "GHSA-fr28-fgmm-pf3x",
  "modified": "2022-08-16T00:00:22Z",
  "published": "2022-08-13T00:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20291"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/android-13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FR5F-M86P-4H8F

Vulnerability from github – Published: 2024-12-16 21:30 – Updated: 2024-12-16 21:30
VLAI
Details

A vulnerability classified as problematic was found in funnyzpc Mee-Admin up to 1.6. This vulnerability affects unknown code of the file /mee/login of the component Login. The manipulation of the argument username leads to observable response discrepancy. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12663"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-16T19:15:07Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic was found in funnyzpc Mee-Admin up to 1.6. This vulnerability affects unknown code of the file /mee/login of the component Login. The manipulation of the argument username leads to observable response discrepancy. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-fr5f-m86p-4h8f",
  "modified": "2024-12-16T21:30:56Z",
  "published": "2024-12-16T21:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12663"
    },
    {
      "type": "WEB",
      "url": "https://github.com/funnyzpc/mee-admin/issues/9"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.288532"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.288532"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.458371"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FV5Q-CM23-V6V8

Vulnerability from github – Published: 2022-04-29 01:26 – Updated: 2022-04-29 01:26
VLAI
Details

Novell iChain 2.2 before Support Pack 1 uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2003-0637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2003-08-27T04:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Novell iChain 2.2 before Support Pack 1 uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing.",
  "id": "GHSA-fv5q-cm23-v6v8",
  "modified": "2022-04-29T01:26:45Z",
  "published": "2022-04-29T01:26:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0637"
    },
    {
      "type": "WEB",
      "url": "http://support.novell.com/cgi-bin/search/searchtid.cgi?/2966435.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FVQX-M97J-37QC

Vulnerability from github – Published: 2023-10-30 18:30 – Updated: 2023-11-06 18:30
VLAI
Details

In ContentService, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21317"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-30T17:15:48Z",
    "severity": "MODERATE"
  },
  "details": "In ContentService, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-fvqx-m97j-37qc",
  "modified": "2023-11-06T18:30:18Z",
  "published": "2023-10-30T18:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21317"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/docs/security/bulletin/android-14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FWGH-82PJ-8VP9

Vulnerability from github – Published: 2023-01-10 21:30 – Updated: 2025-05-30 18:30
VLAI
Details

In Talend Administration Center 7.3.1.20200219 before TAC-15950, the Forgot Password feature provides different error messages for invalid reset attempts depending on whether the email address is associated with any account. This allows remote attackers to enumerate accounts via a series of requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30332"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-10T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Talend Administration Center 7.3.1.20200219 before TAC-15950, the Forgot Password feature provides different error messages for invalid reset attempts depending on whether the email address is associated with any account. This allows remote attackers to enumerate accounts via a series of requests.",
  "id": "GHSA-fwgh-82pj-8vp9",
  "modified": "2025-05-30T18:30:44Z",
  "published": "2023-01-10T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30332"
    },
    {
      "type": "WEB",
      "url": "https://cds.thalesgroup.com/en/tcs-cert/CVE-2022-30332"
    },
    {
      "type": "WEB",
      "url": "https://cwe.mitre.org/data/definitions/204.html"
    },
    {
      "type": "WEB",
      "url": "https://excellium-services.com/cert-xlm-advisory/CVE-2022-30332"
    },
    {
      "type": "WEB",
      "url": "https://help.talend.com/r/62tbPt7y~tPTxAB7y7KpeQ/H45WqEF32geNEZiGJnRwmw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering

An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.