CWE-203
AllowedObservable Discrepancy
Abstraction: Base · Status: Incomplete
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.
835 vulnerabilities reference this CWE, most recent first.
GHSA-GGJG-GJPC-93CX
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-11-03 21:32This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. Deleting a conversation in Messages may expose user contact information in system logging.
{
"affected": [],
"aliases": [
"CVE-2025-24146"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T22:15:19Z",
"severity": "CRITICAL"
},
"details": "This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. Deleting a conversation in Messages may expose user contact information in system logging.",
"id": "GHSA-ggjg-gjpc-93cx",
"modified": "2025-11-03T21:32:29Z",
"published": "2025-01-28T00:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24146"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122068"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122069"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122070"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/15"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/16"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GHR2-C3Q4-JGCQ
Vulnerability from github – Published: 2024-12-27 21:30 – Updated: 2024-12-31 21:30An issue was discovered in Kurmi Provisioning Suite before 7.9.0.35, 7.10.x through 7.10.0.18, and 7.11.x through 7.11.0.15. An Observable Response Discrepancy vulnerability in the sendPasswordReinitLink action of the unlogged.do page allows remote attackers to test whether a username is valid or not. This allows confirmation of valid usernames.
{
"affected": [],
"aliases": [
"CVE-2024-54454"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T20:15:23Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Kurmi Provisioning Suite before 7.9.0.35, 7.10.x through 7.10.0.18, and 7.11.x through 7.11.0.15. An Observable Response Discrepancy vulnerability in the sendPasswordReinitLink action of the unlogged.do page allows remote attackers to test whether a username is valid or not. This allows confirmation of valid usernames.",
"id": "GHSA-ghr2-c3q4-jgcq",
"modified": "2024-12-31T21:30:45Z",
"published": "2024-12-27T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54454"
},
{
"type": "WEB",
"url": "https://kurmi-software.com"
},
{
"type": "WEB",
"url": "https://kurmi-software.com/cve-2024-54454"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GHXR-HX5P-73MX
Vulnerability from github – Published: 2021-12-16 00:00 – Updated: 2021-12-21 00:01In cancelNotificationsFromListener of NotificationManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-194697004
{
"affected": [],
"aliases": [
"CVE-2021-1031"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T19:15:00Z",
"severity": "LOW"
},
"details": "In cancelNotificationsFromListener of NotificationManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-194697004",
"id": "GHSA-ghxr-hx5p-73mx",
"modified": "2021-12-21T00:01:12Z",
"published": "2021-12-16T00:00:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1031"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GJ72-R692-RHJX
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 15:35Side-channel information leakage in WebAuthentication in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
{
"affected": [],
"aliases": [
"CVE-2026-14074"
],
"database_specific": {
"cwe_ids": [
"CWE-1300",
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T23:17:19Z",
"severity": "MODERATE"
},
"details": "Side-channel information leakage in WebAuthentication in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)",
"id": "GHSA-gj72-r692-rhjx",
"modified": "2026-07-01T15:35:08Z",
"published": "2026-07-01T00:34:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14074"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/511743480"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GJV9-7PJ8-FWM8
Vulnerability from github – Published: 2023-06-05 15:33 – Updated: 2024-04-04 04:32emoncms v11 and later was discovered to contain an information disclosure vulnerability which allows attackers to obtain the web directory path and other information leaked by the server via a crafted web request.
{
"affected": [],
"aliases": [
"CVE-2023-33518"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-05T15:15:09Z",
"severity": "MODERATE"
},
"details": "emoncms v11 and later was discovered to contain an information disclosure vulnerability which allows attackers to obtain the web directory path and other information leaked by the server via a crafted web request.",
"id": "GHSA-gjv9-7pj8-fwm8",
"modified": "2024-04-04T04:32:04Z",
"published": "2023-06-05T15:33:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33518"
},
{
"type": "WEB",
"url": "https://github.com/emoncms/emoncms/issues/1856"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GJVJ-MXX4-QRVQ
Vulnerability from github – Published: 2022-04-29 02:57 – Updated: 2022-04-29 02:57YaBB 1 SP 1.3.1 displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack.
{
"affected": [],
"aliases": [
"CVE-2004-0294"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2004-11-23T05:00:00Z",
"severity": "MODERATE"
},
"details": "YaBB 1 SP 1.3.1 displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack.",
"id": "GHSA-gjvj-mxx4-qrvq",
"modified": "2022-04-29T02:57:29Z",
"published": "2022-04-29T02:57:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2004-0294"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/15236"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=107703591314745\u0026w=2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/9677"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GM2M-33H5-5HPM
Vulnerability from github – Published: 2023-10-30 18:30 – Updated: 2023-11-07 03:30In Overlay Manager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2023-21330"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-30T17:15:49Z",
"severity": "MODERATE"
},
"details": "In Overlay Manager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-gm2m-33h5-5hpm",
"modified": "2023-11-07T03:30:25Z",
"published": "2023-10-30T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21330"
},
{
"type": "WEB",
"url": "https://source.android.com/docs/security/bulletin/android-14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GMF8-M925-G3Q7
Vulnerability from github – Published: 2021-12-24 00:00 – Updated: 2021-12-30 00:00An issue was discovered in UTI Mutual fund Android application 5.4.18 and prior, allows attackers to brute force enumeration of usernames determined by the error message returned after invalid credentials are attempted.
{
"affected": [],
"aliases": [
"CVE-2020-35398"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-23T22:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in UTI Mutual fund Android application 5.4.18 and prior, allows attackers to brute force enumeration of usernames determined by the error message returned after invalid credentials are attempted.",
"id": "GHSA-gmf8-m925-g3q7",
"modified": "2021-12-30T00:00:25Z",
"published": "2021-12-24T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35398"
},
{
"type": "WEB",
"url": "https://cvewalkthrough.com/cve-2020-35398-uti-mutual-fund-android-application-username-enumeration"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=com.utimutualfunds.utimutualfund\u0026hl=en_IN\u0026gl=US"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GMRF-99GW-VVWJ
Vulnerability from github – Published: 2021-03-11 17:42 – Updated: 2026-02-03 17:38This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.
If you come across a security issue in our products, here is how you can report it to us: https://doc.ibexa.co/en/latest/guide/reporting_issues/#toc
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.13.8.0"
},
"package": {
"ecosystem": "Packagist",
"name": "ezsystems/ezpublish-kernel"
},
"ranges": [
{
"events": [
{
"introduced": "6.13.0"
},
{
"fixed": "6.13.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.5.15.0"
},
"package": {
"ecosystem": "Packagist",
"name": "ezsystems/ezpublish-kernel"
},
"ranges": [
{
"events": [
{
"introduced": "7.5.0"
},
{
"fixed": "7.5.15.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-46876"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-11T17:41:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.\n\nIf you come across a security issue in our products, here is how you can report it to us: https://doc.ibexa.co/en/latest/guide/reporting_issues/#toc",
"id": "GHSA-gmrf-99gw-vvwj",
"modified": "2026-02-03T17:38:56Z",
"published": "2021-03-11T17:42:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46876"
},
{
"type": "WEB",
"url": "https://github.com/ezsystems/ezpublish-kernel/commit/b496f073c3f03707d3531a6941dc098b84e3cbed"
},
{
"type": "PACKAGE",
"url": "https://github.com/ezsystems/ezpublish-kernel"
},
{
"type": "WEB",
"url": "https://packagist.org/packages/ezsystems/ezpublish-kernel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "/user/sessions endpoint allows detecting valid accounts"
}
GHSA-GP65-59GV-VQPF
Vulnerability from github – Published: 2022-08-18 00:00 – Updated: 2022-08-19 00:00Ampere Altra devices before 1.08g and Ampere Altra Max devices before 2.05a allow attackers to control the predictions for return addresses and potentially hijack code flow to execute arbitrary code via a side-channel attack, aka a "Retbleed" issue.
{
"affected": [],
"aliases": [
"CVE-2022-37459"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-17T13:15:00Z",
"severity": "HIGH"
},
"details": "Ampere Altra devices before 1.08g and Ampere Altra Max devices before 2.05a allow attackers to control the predictions for return addresses and potentially hijack code flow to execute arbitrary code via a side-channel attack, aka a \"Retbleed\" issue.",
"id": "GHSA-gp65-59gv-vqpf",
"modified": "2022-08-19T00:00:20Z",
"published": "2022-08-18T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37459"
},
{
"type": "WEB",
"url": "https://amperecomputing.com/products/security-bulletins/retbleed.html"
},
{
"type": "WEB",
"url": "https://developer.arm.com/documentation/ka005138/1-0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering
An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.