VYPR

CWE-203

Observable Discrepancy

BaseIncomplete

Description

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-189

CVEs mapped to this weakness (224)

page 5 of 12
  • CVE-2024-54002MedDec 4, 2024
    risk 0.27cvss 5.3epss 0.00

    Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Performing a login request against the /api/v1/user/login endpoint with a username that exist in the system takes significantly longer than…

  • CVE-2024-41880MedJul 22, 2024
    risk 0.27cvss 5.3epss 0.00

    In veilid-core in Veilid before 0.3.4, the protocol's ping function can be misused in a way that decreases the effectiveness of safety and private routes.

  • CVE-2026-8242LowMay 10, 2026
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results in observable response discrepancy. The attack is possible to be carried out…

  • CVE-2025-67806LowApr 1, 2026
    risk 0.24cvss 3.7epss 0.00

    The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behavior in newer versions.

  • CVE-2026-4045LowMar 12, 2026
    risk 0.24cvss 3.7epss 0.00

    A flaw has been found in projectsend up to r1945. This impacts an unknown function of the file includes/Classes/Auth.php. Executing a manipulation of the argument ldap_email can lead to observable response discrepancy. The attack can be executed remotely. A high complexity level…

  • CVE-2025-11443LowOct 8, 2025
    risk 0.24cvss 3.7epss 0.01

    A weakness has been identified in JhumanJ OpnForm up to 1.9.3. This affects an unknown function of the file /api/password/email of the component Forgotten Password Handler. This manipulation causes information exposure through discrepancy. It is possible to initiate the attack…

  • CVE-2025-9109LowAug 18, 2025
    risk 0.24cvss 3.7epss 0.00

    A security flaw has been discovered in Portabilis i-Diario up to 1.5.0. Affected by this vulnerability is an unknown functionality of the file /password/email of the component Password Recovery Endpoint. The manipulation results in observable response discrepancy. It is possible…

  • CVE-2024-12663LowDec 16, 2024
    risk 0.24cvss 3.7epss 0.00

    A vulnerability classified as problematic was found in funnyzpc Mee-Admin up to 1.6. This vulnerability affects unknown code of the file /mee/login of the component Login. The manipulation of the argument username leads to observable response discrepancy. The attack can be…

  • CVE-2023-36325LowOct 9, 2024
    risk 0.24cvss 3.7epss 0.00

    i2p before 2.3.0 (Java) allows de-anonymizing the public IPv4 and IPv6 addresses of i2p hidden services (aka eepsites) via a correlation attack across the IPv4 and IPv6 addresses that occurs when a tunneled, replayed message has a behavior discrepancy (it may be dropped, or may…

  • CVE-2020-1968LowSep 9, 2020
    risk 0.24cvss 3.7epss 0.05

    The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop…

  • CVE-2026-44263MedMay 7, 2026
    risk 0.21cvss 4.3epss 0.00

    Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1.

  • CVE-2025-46804LowMay 26, 2025
    risk 0.21cvss 3.3epss 0.00

    A minor information leak when running Screen with setuid-root privileges allows unprivileged users to deduce information about a path that would otherwise not be available. Affected are older Screen versions, as well as version 5.0.0.

  • CVE-2024-27839LowMay 14, 2024
    risk 0.21cvss 3.3epss 0.00

    A privacy issue was addressed by moving sensitive data to a more secure location. This issue is fixed in iOS 17.5 and iPadOS 17.5. A malicious application may be able to determine a user's current location.

  • CVE-2025-8774LowAug 9, 2025
    risk 0.16cvss 2.5epss 0.00

    A vulnerability has been found in riscv-boom SonicBOOM up to 2.2.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component L1 Data Cache Handler. The manipulation leads to observable timing discrepancy. Local access is required…

  • CVE-2003-0190May 12, 2003
    risk 0.09cvss epss 0.77

    OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.

  • CVE-2004-1602Oct 15, 2004
    risk 0.05cvss epss 0.31

    ProFTPD 1.2.x, including 1.2.8 and 1.2.10, responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response.

  • CVE-2003-0078Mar 3, 2003
    risk 0.04cvss epss 0.14

    ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely…

  • CVE-2001-1528Dec 31, 2001
    risk 0.04cvss epss 0.08

    AmTote International homebet program returns different error messages when invalid account numbers and PIN codes are provided, which allows remote attackers to determine the existence of valid account numbers via a brute force attack.

  • CVE-2019-10071Sep 16, 2019
    risk 0.01cvss epss 0.09

    The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their…

  • CVE-2026-47379Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary The shared-view password check fell back to strict-equality (`===`) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. ### Details The bcrypt branch (hashes starting with `$2a$`/`$2b$`) was…