CWE-204
AllowedObservable Response Discrepancy
Abstraction: Base · Status: Incomplete
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
298 vulnerabilities reference this CWE, most recent first.
GHSA-36GF-GHCV-F3QQ
Vulnerability from github – Published: 2024-09-10 12:30 – Updated: 2024-09-10 12:30A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.14.0 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions < V10.12.2 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions < V10.6.12 only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions < V9.24.26 only if the basic authentication mechanism is used by the application). The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames.
{
"affected": [],
"aliases": [
"CVE-2023-49069"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T10:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in Mendix Runtime V10 (All versions \u003c V10.14.0 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions \u003c V10.12.2 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions \u003c V10.6.12 only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions \u003c V9.24.26 only if the basic authentication mechanism is used by the application). The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames.",
"id": "GHSA-36gf-ghcv-f3qq",
"modified": "2024-09-10T12:30:37Z",
"published": "2024-09-10T12:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49069"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-097435.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-36GX-9Q6H-G429
Vulnerability from github – Published: 2023-02-28 23:18 – Updated: 2026-05-29 20:49Impact
We are incorporating the password policies listed in https://github.com/vantage6/vantage6/issues/59. One measure is that we don't let the user know in case of wrong username/password combination if the username actually exists, to prevent that bots can guess usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This way you could still find out which usernames exist.
Patches
Update to 3.8.0+
Workarounds
No
References
https://github.com/vantage6/vantage6/issues/59
For more information
If you have any questions or comments about this advisory: * Email us at vantage6@iknl.nl
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vantage6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39228"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-28T23:18:37Z",
"nvd_published_at": "2023-03-01T17:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nWe are incorporating the password policies listed in https://github.com/vantage6/vantage6/issues/59. One measure is that we don\u0027t let the user know in case of wrong username/password combination if the username actually exists, to prevent that bots can guess usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This way you could still find out which usernames exist.\n\n### Patches\nUpdate to 3.8.0+\n\n### Workarounds\nNo\n\n### References\nhttps://github.com/vantage6/vantage6/issues/59\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [vantage6@iknl.nl](mailto:vantage6@iknl.nl)",
"id": "GHSA-36gx-9q6h-g429",
"modified": "2026-05-29T20:49:19Z",
"published": "2023-02-28T23:18:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-36gx-9q6h-g429"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39228"
},
{
"type": "WEB",
"url": "https://github.com/vantage6/vantage6/issues/59"
},
{
"type": "WEB",
"url": "https://github.com/vantage6/vantage6/pull/281"
},
{
"type": "WEB",
"url": "https://github.com/vantage6/vantage6/commit/ab4381c35d24add06f75d5a8a284321f7a340bd2"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-313.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-52.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/vantage6/vantage6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "vantage6 vulnerable to Observable Response Discrepancy"
}
GHSA-3765-5F6W-7P86
Vulnerability from github – Published: 2026-06-05 15:32 – Updated: 2026-06-05 15:32Observable response discrepancy vulnerability in HAVELSAN Inc. Geographic Tracking System allows System Footprinting.
This issue affects Geographic Tracking System: before v0.0.2.
{
"affected": [],
"aliases": [
"CVE-2026-6207"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-05T15:16:53Z",
"severity": "CRITICAL"
},
"details": "Observable response discrepancy vulnerability in HAVELSAN Inc. Geographic Tracking System allows System Footprinting.\n\nThis issue affects Geographic Tracking System: before v0.0.2.",
"id": "GHSA-3765-5f6w-7p86",
"modified": "2026-06-05T15:32:26Z",
"published": "2026-06-05T15:32:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6207"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0325"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-387M-J3P9-3PHP
Vulnerability from github – Published: 2026-03-02 19:42 – Updated: 2026-03-02 19:42Summary
The password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration.
Details
POST /api/v2/auth/password/forgot returned a success message for registered emails but 'Your email has not been registered.' for unknown emails. The fix returns a uniform response regardless of whether the email exists.
Impact
An unauthenticated attacker can determine whether an email is registered. No credentials or data are exposed.
Credit
This issue was reported by @Tulgaaaaaaaa.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.301.2"
},
"package": {
"ecosystem": "npm",
"name": "nocodb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.301.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28358"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T19:42:07Z",
"nvd_published_at": "2026-03-02T17:16:33Z",
"severity": "LOW"
},
"details": "### Summary\nThe password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration.\n\n### Details\n`POST /api/v2/auth/password/forgot` returned a success message for registered emails but `\u0027Your email has not been registered.\u0027` for unknown emails. The fix returns a uniform response regardless of whether the email exists.\n\n### Impact\nAn unauthenticated attacker can determine whether an email is registered. No credentials or data are exposed.\n\n### Credit\nThis issue was reported by [@Tulgaaaaaaaa](https://github.com/Tulgaaaaaaaa).",
"id": "GHSA-387m-j3p9-3php",
"modified": "2026-03-02T19:42:07Z",
"published": "2026-03-02T19:42:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-387m-j3p9-3php"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28358"
},
{
"type": "PACKAGE",
"url": "https://github.com/nocodb/nocodb"
},
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/releases/tag/0.301.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "NocoDB Vulnerable to User Enumeration via Password Reset Endpoint"
}
GHSA-38MG-MW32-J4P4
Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-09 18:30A vulnerability has been identified in Gridscale X Prepay (All versions < V4.2.1). The affected application is vulnerable to user enumeration due to distinguishable responses. This could allow an unauthenticated remote attacker to determine if a user is valid or not, enabling a brute force attack with valid users.
{
"affected": [],
"aliases": [
"CVE-2025-40806"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T16:17:45Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in Gridscale X Prepay (All versions \u003c V4.2.1). The affected application is vulnerable to user enumeration due to distinguishable responses. This could allow an unauthenticated remote attacker to determine if a user is valid or not, enabling a brute force attack with valid users.",
"id": "GHSA-38mg-mw32-j4p4",
"modified": "2025-12-09T18:30:36Z",
"published": "2025-12-09T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40806"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-356310.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-38WQ-6Q2W-HCF9
Vulnerability from github – Published: 2026-02-25 18:53 – Updated: 2026-02-27 21:49Summary
The WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames.
Details
When submitting invalid credentials to /ui/login, the WebUI responds with different error messages based on the existence of the provided username (identity). A non-existent username results in an error indicating that no account is associated with the identity, while an existing username with an incorrect password produces a different authentication-related error.
This behavioral difference allows an attacker to distinguish valid usernames from invalid ones by observing the response content.
Proof of Concept
Bogus Login (Non-existent Username "15251087")
Response contains:
Cannot get find any account associated with 15251087 identity.
Bogus Login (Existing Username "root", Wrong Password)
Response contains:
Cannot get auth token. It is possible that the presented identity root is not mapped to any Rucio account root.
The difference in error messages confirms whether a username exists.
Impact
An unauthenticated attacker can enumerate valid usernames, which may be leveraged for targeted password guessing, credential stuffing, or social engineering attacks.
Remediation / Mitigation
Return a generic authentication failure message for all login errors, regardless of whether the username exists. Avoid disclosing account or identity existence through error responses. Consider implementing rate limiting or additional login throttling to further reduce abuse.
Reources:
- OWASP Authentication Cheat Sheet - Authentication and Error Messages: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "rucio-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "35.8.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "rucio-webui"
},
"ranges": [
{
"events": [
{
"introduced": "36.0.0rc1"
},
{
"fixed": "38.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "rucio-webui"
},
"ranges": [
{
"events": [
{
"introduced": "39.0.0rc1"
},
{
"fixed": "39.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25138"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T18:53:42Z",
"nvd_published_at": "2026-02-25T20:23:47Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames.\n\n### Details\nWhen submitting invalid credentials to `/ui/login`, the WebUI responds with different error messages based on the existence of the provided username (identity). A non-existent username results in an error indicating that no account is associated with the identity, while an existing username with an incorrect password produces a different authentication-related error.\n\nThis behavioral difference allows an attacker to distinguish valid usernames from invalid ones by observing the response content.\n\n### Proof of Concept\n**Bogus Login (Non-existent Username \"15251087\")** \nResponse contains:\n```\nCannot get find any account associated with 15251087 identity.\n```\n\n**Bogus Login (Existing Username \"root\", Wrong Password)** \nResponse contains:\n```\nCannot get auth token. It is possible that the presented identity root is not mapped to any Rucio account root.\n```\n\nThe difference in error messages confirms whether a username exists.\n\n### Impact\nAn unauthenticated attacker can enumerate valid usernames, which may be leveraged for targeted password guessing, credential stuffing, or social engineering attacks.\n\n### Remediation / Mitigation\nReturn a generic authentication failure message for all login errors, regardless of whether the username exists. Avoid disclosing account or identity existence through error responses. Consider implementing rate limiting or additional login throttling to further reduce abuse.\n\n#### Reources:\n- OWASP Authentication Cheat Sheet - Authentication and Error Messages: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages",
"id": "GHSA-38wq-6q2w-hcf9",
"modified": "2026-02-27T21:49:59Z",
"published": "2026-02-25T18:53:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-38wq-6q2w-hcf9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25138"
},
{
"type": "WEB",
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages"
},
{
"type": "PACKAGE",
"url": "https://github.com/rucio/rucio"
},
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
},
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
},
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Rucio WebUI has Username Enumeration via Login Error Message"
}
GHSA-3GGV-QWCP-J6XG
Vulnerability from github – Published: 2025-09-03 22:20 – Updated: 2025-09-03 22:20Impact
The attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks.
Patches
This vulnerability has been patched, implementing a timing-safe form login authenticator that ensures consistent response times regardless of whether a user exists or not.
Technical Details
The vulnerability was caused by different response times when: - A valid username was provided (password hashing occurred) - An invalid username was provided (no password hashing occurred)
The fix introduces a TimingSafeFormLoginAuthenticator that performs a dummy password hash verification even for non-existent users, ensuring consistent timing.
Workarounds
No workarounds are available. Users should upgrade to the patched version.
References
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account
- https://github.com/mautic/mautic-security/pull/146
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.4.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-alpha"
},
{
"fixed": "5.2.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0-alpha"
},
{
"fixed": "6.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-9824"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-03T22:20:16Z",
"nvd_published_at": "2025-09-03T15:15:49Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks.\n\n### Patches\nThis vulnerability has been patched, implementing a timing-safe form login authenticator that ensures consistent response times regardless of whether a user exists or not.\n\n### Technical Details\nThe vulnerability was caused by different response times when:\n- A valid username was provided (password hashing occurred)\n- An invalid username was provided (no password hashing occurred)\n\nThe fix introduces a `TimingSafeFormLoginAuthenticator` that performs a dummy password hash verification even for non-existent users, ensuring consistent timing.\n\n### Workarounds\nNo workarounds are available. Users should upgrade to the patched version.\n\n### References\n- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account\n- https://github.com/mautic/mautic-security/pull/146",
"id": "GHSA-3ggv-qwcp-j6xg",
"modified": "2025-09-03T22:20:16Z",
"published": "2025-09-03T22:20:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mautic/mautic/security/advisories/GHSA-3ggv-qwcp-j6xg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9824"
},
{
"type": "WEB",
"url": "https://github.com/mautic/mautic/commit/6bc4f5f1aabb13df12714ad0ea9fc281cbb867c6"
},
{
"type": "WEB",
"url": "https://github.com/mautic/mautic/commit/b4264c717ce31fbafafcefc04b02ecb9fb911e62"
},
{
"type": "PACKAGE",
"url": "https://github.com/mautic/mautic"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Mautic Vulnerable to User Enumeration via Response Timing"
}
GHSA-3HMX-7W48-9WCC
Vulnerability from github – Published: 2023-09-04 15:30 – Updated: 2024-04-04 07:26User enumeration vulnerability in Password Recovery plugin 1.2 version for Roundcube, which could allow a remote attacker to create a test script against the password recovery function to enumerate all users in the database.
{
"affected": [],
"aliases": [
"CVE-2023-3221"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-04T13:15:32Z",
"severity": "MODERATE"
},
"details": "User enumeration vulnerability in Password Recovery plugin 1.2 version for Roundcube, which could allow a remote attacker to create a test script against the password recovery function to enumerate all users in the database.",
"id": "GHSA-3hmx-7w48-9wcc",
"modified": "2024-04-04T07:26:14Z",
"published": "2023-09-04T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3221"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-roundcube-password-recovery-plugin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3Q4W-RF2J-FX5X
Vulnerability from github – Published: 2024-11-06 09:31 – Updated: 2024-11-06 09:31Observable Response Discrepancy vulnerability in HumHub GmbH & Co. KG - HumHub on Linux allows: Excavation (user enumeration).This issue affects all released HumHub versions: through 1.16.2.
{
"affected": [],
"aliases": [
"CVE-2024-52043"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-06T08:15:03Z",
"severity": "MODERATE"
},
"details": "Observable Response Discrepancy vulnerability in HumHub GmbH \u0026 Co. KG - HumHub on Linux allows: Excavation (user enumeration).This issue affects all released HumHub versions: through 1.16.2.",
"id": "GHSA-3q4w-rf2j-fx5x",
"modified": "2024-11-06T09:31:22Z",
"published": "2024-11-06T09:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52043"
},
{
"type": "WEB",
"url": "https://github.com/humhub/humhub/security"
},
{
"type": "WEB",
"url": "https://www.vulsec.org/advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3QV6-5F5F-F89J
Vulnerability from github – Published: 2024-09-12 21:32 – Updated: 2024-09-12 21:32User enumeration vulnerability in ORDAT FOSS-Online before v2.24.01 allows attackers to determine if an account exists in the application by comparing the server responses of the forgot password functionality.
{
"affected": [],
"aliases": [
"CVE-2024-34336"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-12T19:15:03Z",
"severity": "MODERATE"
},
"details": "User enumeration vulnerability in ORDAT FOSS-Online before v2.24.01 allows attackers to determine if an account exists in the application by comparing the server responses of the forgot password functionality.",
"id": "GHSA-3qv6-5f5f-f89j",
"modified": "2024-09-12T21:32:02Z",
"published": "2024-09-12T21:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34336"
},
{
"type": "WEB",
"url": "https://mind-bytes.de/offenlegung-existierender-benutzerkonten-in-foss-online-cve-2024-34336"
},
{
"type": "WEB",
"url": "http://foss-online.com"
},
{
"type": "WEB",
"url": "http://ordat.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-331: ICMP IP Total Length Field Probe
An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.
CAPEC-332: ICMP IP 'ID' Field Error Message Probe
An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.
CAPEC-541: Application Fingerprinting
An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.
CAPEC-580: System Footprinting
An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.