CWE-203
AllowedObservable Discrepancy
Abstraction: Base · Status: Incomplete
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.
835 vulnerabilities reference this CWE, most recent first.
GHSA-G5VH-55HW-RXM8
Vulnerability from github – Published: 2026-07-02 13:46 – Updated: 2026-07-02 13:46Summary
The default Authorizer function in GoFiber's BasicAuth middleware uses short-circuit evaluation that skips password hash comparison for non-existent usernames. With bcrypt-hashed passwords (the primary use case), the timing difference between a valid and invalid username is approximately 1,000,000:1 (~100ms vs ~100ns), enabling reliable remote username enumeration.
Vulnerable Code
File: middleware/basicauth/config.go, lines 126-138
if cfg.Authorizer == nil {
verifiers := make(map[string]func(string) bool, len(cfg.Users))
for u, hpw := range cfg.Users {
v, err := parseHashedPassword(hpw)
if err != nil {
panic(err)
}
verifiers[u] = v
}
cfg.Authorizer = func(user, pass string, _ fiber.Ctx) bool {
verify, ok := verifiers[user]
return ok && verify(pass) // line 137: short-circuit skips verify() if user unknown
}
}
Data Flow
- Attacker sends
Authorization: Basic <base64(candidate:wrongpass)> - BasicAuth middleware decodes credentials and calls
cfg.Authorizer(user, pass, c) - Map lookup
verifiers[user]returnsok=falsefor non-existent users - Go
&&short-circuit:false && verify(pass)returns immediately without callingverify() - For valid users,
verify(pass)executesbcrypt.CompareHashAndPassword()(line 167: ~100ms at default cost 10) - Timing difference: ~100ns (invalid user) vs ~100ms (valid user) = 1,000,000:1 ratio
Timing comparison by hash type:
| Hash Type | Valid User | Invalid User | Ratio |
|---|---|---|---|
| bcrypt ($2) | ~100 ms | ~100 ns | 1,000,000:1 |
| SHA-512 | ~1-5 us | ~100 ns | 10-50:1 |
| SHA-256 | ~1-5 us | ~100 ns | 10-50:1 |
Impact
- Username enumeration: Attacker reliably determines which usernames exist by measuring response latency
- Targeted brute force: After enumerating valid usernames, password brute force is focused only on real accounts
- Account discovery: In applications where usernames are sensitive (internal tools, admin panels), leaking their existence is itself a security issue
Notes
- Password hash comparisons themselves are timing-safe:
subtle.ConstantTimeCompareis used correctly for SHA-256 (line 185), SHA-512 (line 176), and bcrypt uses its own constant-time comparison - The fix is to always execute a dummy hash comparison for unknown users:
bcrypt.CompareHashAndPassword(dummyHash, []byte(pass))and discard the result - This pattern matches CVE-2023-36456 (Authentik timing oracle) and similar findings in other auth libraries
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.2.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/gofiber/fiber/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44332"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T13:46:25Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe default `Authorizer` function in GoFiber\u0027s BasicAuth middleware uses short-circuit evaluation that skips password hash comparison for non-existent usernames. With bcrypt-hashed passwords (the primary use case), the timing difference between a valid and invalid username is approximately 1,000,000:1 (~100ms vs ~100ns), enabling reliable remote username enumeration.\n\n## Vulnerable Code\n\n**File:** `middleware/basicauth/config.go`, lines 126-138\n\n```go\nif cfg.Authorizer == nil {\n verifiers := make(map[string]func(string) bool, len(cfg.Users))\n for u, hpw := range cfg.Users {\n v, err := parseHashedPassword(hpw)\n if err != nil {\n panic(err)\n }\n verifiers[u] = v\n }\n cfg.Authorizer = func(user, pass string, _ fiber.Ctx) bool {\n verify, ok := verifiers[user]\n return ok \u0026\u0026 verify(pass) // line 137: short-circuit skips verify() if user unknown\n }\n}\n```\n\n## Data Flow\n\n1. Attacker sends `Authorization: Basic \u003cbase64(candidate:wrongpass)\u003e`\n2. BasicAuth middleware decodes credentials and calls `cfg.Authorizer(user, pass, c)`\n3. Map lookup `verifiers[user]` returns `ok=false` for non-existent users\n4. Go `\u0026\u0026` short-circuit: `false \u0026\u0026 verify(pass)` returns immediately without calling `verify()`\n5. For valid users, `verify(pass)` executes `bcrypt.CompareHashAndPassword()` (line 167: ~100ms at default cost 10)\n6. Timing difference: ~100ns (invalid user) vs ~100ms (valid user) = 1,000,000:1 ratio\n\n**Timing comparison by hash type:**\n\n| Hash Type | Valid User | Invalid User | Ratio |\n|-----------|-----------|--------------|-------|\n| bcrypt ($2) | ~100 ms | ~100 ns | 1,000,000:1 |\n| SHA-512 | ~1-5 us | ~100 ns | 10-50:1 |\n| SHA-256 | ~1-5 us | ~100 ns | 10-50:1 |\n\n## Impact\n\n- **Username enumeration:** Attacker reliably determines which usernames exist by measuring response latency\n- **Targeted brute force:** After enumerating valid usernames, password brute force is focused only on real accounts\n- **Account discovery:** In applications where usernames are sensitive (internal tools, admin panels), leaking their existence is itself a security issue\n\n## Notes\n\n- Password hash comparisons themselves are timing-safe: `subtle.ConstantTimeCompare` is used correctly for SHA-256 (line 185), SHA-512 (line 176), and bcrypt uses its own constant-time comparison\n- The fix is to always execute a dummy hash comparison for unknown users: `bcrypt.CompareHashAndPassword(dummyHash, []byte(pass))` and discard the result\n- This pattern matches CVE-2023-36456 (Authentik timing oracle) and similar findings in other auth libraries",
"id": "GHSA-g5vh-55hw-rxm8",
"modified": "2026-07-02T13:46:25Z",
"published": "2026-07-02T13:46:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-g5vh-55hw-rxm8"
},
{
"type": "PACKAGE",
"url": "https://github.com/gofiber/fiber"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "GoFiber Vulnerable to Username Enumeration via Timing Oracle in BasicAuth Default Authorizer"
}
GHSA-G62R-H4Q8-QX29
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02Nordic Semiconductor nRF52840 devices through 2020-10-19 have improper protection against physical side channels. The flash read-out protection (APPROTECT) can be bypassed by injecting a fault during the boot phase.
{
"affected": [],
"aliases": [
"CVE-2020-27211"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-21T13:15:00Z",
"severity": "MODERATE"
},
"details": "Nordic Semiconductor nRF52840 devices through 2020-10-19 have improper protection against physical side channels. The flash read-out protection (APPROTECT) can be bypassed by injecting a fault during the boot phase.",
"id": "GHSA-g62r-h4q8-qx29",
"modified": "2022-05-24T19:02:57Z",
"published": "2022-05-24T19:02:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27211"
},
{
"type": "WEB",
"url": "https://eprint.iacr.org/2021/640"
},
{
"type": "WEB",
"url": "https://infocenter.nordicsemi.com/pdf/in_133_v1.0.pdf"
},
{
"type": "WEB",
"url": "https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass"
},
{
"type": "WEB",
"url": "https://www.aisec.fraunhofer.de/de/das-institut/wissenschaftliche-exzellenz/security-and-trust-in-open-source-security-tokens.html"
},
{
"type": "WEB",
"url": "https://www.aisec.fraunhofer.de/en/FirmwareProtection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G64F-MXRQ-5H8C
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14In Kaden PICOFLUX Air in all known versions an information exposure through observable discrepancy exists. This may give sensitive information (water consumption without distinct values) to third parties.
{
"affected": [],
"aliases": [
"CVE-2021-34576"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-16T13:15:00Z",
"severity": "MODERATE"
},
"details": "In Kaden PICOFLUX Air in all known versions an information exposure through observable discrepancy exists. This may give sensitive information (water consumption without distinct values) to third parties.",
"id": "GHSA-g64f-mxrq-5h8c",
"modified": "2022-05-24T19:14:51Z",
"published": "2022-05-24T19:14:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34576"
},
{
"type": "WEB",
"url": "https://www.fit.vutbr.cz/~polcak/CVE-2021-34576.en"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G759-2X5W-F89C
Vulnerability from github – Published: 2024-02-21 18:31 – Updated: 2024-03-19 18:31An issue was discovered in LIVEBOX Collaboration vDesk through v031. An Observable Response Discrepancy can occur under the /api/v1/vdeskintegration/user/isenableuser endpoint, the /api/v1/sharedsearch?search={NAME]+{SURNAME] endpoint, and the /login endpoint. The web application provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
{
"affected": [],
"aliases": [
"CVE-2022-45177"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-21T16:15:49Z",
"severity": "HIGH"
},
"details": "An issue was discovered in LIVEBOX Collaboration vDesk through v031. An Observable Response Discrepancy can occur under the /api/v1/vdeskintegration/user/isenableuser endpoint, the /api/v1/sharedsearch?search={NAME]+{SURNAME] endpoint, and the /login endpoint. The web application provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.",
"id": "GHSA-g759-2x5w-f89c",
"modified": "2024-03-19T18:31:58Z",
"published": "2024-02-21T18:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45177"
},
{
"type": "WEB",
"url": "https://www.gruppotim.it/it/footer/red-team.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G854-MV2R-2R5H
Vulnerability from github – Published: 2023-07-24 18:30 – Updated: 2025-04-15 12:30A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.
{
"affected": [],
"aliases": [
"CVE-2023-3640"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-385"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-24T16:15:13Z",
"severity": "HIGH"
},
"details": "A possible unauthorized memory access flaw was found in the Linux kernel\u0027s cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the \u0027Randomize per-cpu entry area\u0027 feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.",
"id": "GHSA-g854-mv2r-2r5h",
"modified": "2025-04-15T12:30:24Z",
"published": "2023-07-24T18:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3640"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:6583"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-3640"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217523"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G9P5-P7H5-P2WG
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2025-12-03 15:30Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.
{
"affected": [],
"aliases": [
"CVE-2021-33560"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-325"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-08T11:15:00Z",
"severity": "HIGH"
},
"details": "Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.",
"id": "GHSA-g9p5-p7h5-p2wg",
"modified": "2025-12-03T15:30:27Z",
"published": "2022-05-24T19:04:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33560"
},
{
"type": "WEB",
"url": "https://dev.gnupg.org/T5305"
},
{
"type": "WEB",
"url": "https://dev.gnupg.org/T5328"
},
{
"type": "WEB",
"url": "https://dev.gnupg.org/T5466"
},
{
"type": "WEB",
"url": "https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00021.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BKKTOIGFW2SGN3DO2UHHVZ7MJSYN4AAB"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7OAPCUGPF3VLA7QAJUQSL255D4ITVTL"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BKKTOIGFW2SGN3DO2UHHVZ7MJSYN4AAB"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7OAPCUGPF3VLA7QAJUQSL255D4ITVTL"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202210-13"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GC7R-MR2H-CG8H
Vulnerability from github – Published: 2024-11-19 21:31 – Updated: 2024-11-20 18:32In the LG LAF component, there is a special command that allowed modification of certain partitions. This could lead to bypass of secure boot. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2018-9364"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-19T20:15:27Z",
"severity": "HIGH"
},
"details": "In the LG LAF component, there is a special command that allowed modification of certain partitions. This could lead to bypass of secure boot. User interaction is not needed for exploitation.",
"id": "GHSA-gc7r-mr2h-cg8h",
"modified": "2024-11-20T18:32:16Z",
"published": "2024-11-19T21:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9364"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2018-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GC93-42JM-WCM5
Vulnerability from github – Published: 2023-10-30 18:30 – Updated: 2023-11-06 18:30In Settings, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2023-21325"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-30T17:15:49Z",
"severity": "MODERATE"
},
"details": "In Settings, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-gc93-42jm-wcm5",
"modified": "2023-11-06T18:30:18Z",
"published": "2023-10-30T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21325"
},
{
"type": "WEB",
"url": "https://source.android.com/docs/security/bulletin/android-14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GCG5-86JR-F7JG
Vulnerability from github – Published: 2026-05-07 00:03 – Updated: 2026-05-08 21:47Impact
The screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user.
Patches
- https://github.com/WeblateOrg/weblate/pull/19258
Acknowledgement
Weblate thanks Luay for reporting this vulnerability according to the organization's security issues guideline.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "weblate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.17.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44263"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T00:03:50Z",
"nvd_published_at": "2026-05-07T15:16:10Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user.\n\n### Patches\n* https://github.com/WeblateOrg/weblate/pull/19258\n\n### Acknowledgement\nWeblate thanks Luay for reporting this vulnerability according to the organization\u0027s [security issues guideline](https://docs.weblate.org/en/latest/security/issues.html).",
"id": "GHSA-gcg5-86jr-f7jg",
"modified": "2026-05-08T21:47:47Z",
"published": "2026-05-07T00:03:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gcg5-86jr-f7jg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44263"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/pull/19258"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/commit/6cf892c7bd50b667a65a99d716a90694f7d9f203"
},
{
"type": "PACKAGE",
"url": "https://github.com/WeblateOrg/weblate"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Weblate Vulnerable to Private Translation Enumeration via Screenshot API"
}
GHSA-GF86-2HWM-RMXM
Vulnerability from github – Published: 2024-06-16 18:31 – Updated: 2024-08-07 18:30Shenzhen Guoxin Synthesis image system before 8.3.0 allows username enumeration because of the response discrepancy of incorrect versus error.
{
"affected": [],
"aliases": [
"CVE-2024-38465"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-16T16:15:09Z",
"severity": "MODERATE"
},
"details": "Shenzhen Guoxin Synthesis image system before 8.3.0 allows username enumeration because of the response discrepancy of incorrect versus error.",
"id": "GHSA-gf86-2hwm-rmxm",
"modified": "2024-08-07T18:30:40Z",
"published": "2024-06-16T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38465"
},
{
"type": "WEB",
"url": "https://github.com/Pumpkin-ito/Cve-Vuln/blob/main/Guosen%20synthetic%20imaging%20system%20vulnerability.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering
An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.