CWE-203
Observable Discrepancy
Description
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-189
CVEs mapped to this weakness (224)
page 5 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-54002 | Med | 0.27 | 5.3 | 0.00 | Dec 4, 2024 | Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Performing a login request against the /api/v1/user/login endpoint with a username that exist in the system takes significantly longer than… | ||
| CVE-2024-41880 | Med | 0.27 | 5.3 | 0.00 | Jul 22, 2024 | In veilid-core in Veilid before 0.3.4, the protocol's ping function can be misused in a way that decreases the effectiveness of safety and private routes. | ||
| CVE-2026-8242 | Low | 0.24 | 3.7 | 0.00 | May 10, 2026 | A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results in observable response discrepancy. The attack is possible to be carried out… | ||
| CVE-2025-67806 | Low | 0.24 | 3.7 | 0.00 | Apr 1, 2026 | The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behavior in newer versions. | ||
| CVE-2026-4045 | Low | 0.24 | 3.7 | 0.00 | Mar 12, 2026 | A flaw has been found in projectsend up to r1945. This impacts an unknown function of the file includes/Classes/Auth.php. Executing a manipulation of the argument ldap_email can lead to observable response discrepancy. The attack can be executed remotely. A high complexity level… | ||
| CVE-2025-11443 | Low | 0.24 | 3.7 | 0.01 | Oct 8, 2025 | A weakness has been identified in JhumanJ OpnForm up to 1.9.3. This affects an unknown function of the file /api/password/email of the component Forgotten Password Handler. This manipulation causes information exposure through discrepancy. It is possible to initiate the attack… | ||
| CVE-2025-9109 | Low | 0.24 | 3.7 | 0.00 | Aug 18, 2025 | A security flaw has been discovered in Portabilis i-Diario up to 1.5.0. Affected by this vulnerability is an unknown functionality of the file /password/email of the component Password Recovery Endpoint. The manipulation results in observable response discrepancy. It is possible… | ||
| CVE-2024-12663 | Low | 0.24 | 3.7 | 0.00 | Dec 16, 2024 | A vulnerability classified as problematic was found in funnyzpc Mee-Admin up to 1.6. This vulnerability affects unknown code of the file /mee/login of the component Login. The manipulation of the argument username leads to observable response discrepancy. The attack can be… | ||
| CVE-2023-36325 | — | Low | 0.24 | 3.7 | 0.00 | Oct 9, 2024 | i2p before 2.3.0 (Java) allows de-anonymizing the public IPv4 and IPv6 addresses of i2p hidden services (aka eepsites) via a correlation attack across the IPv4 and IPv6 addresses that occurs when a tunneled, replayed message has a behavior discrepancy (it may be dropped, or may… | |
| CVE-2020-1968 | Low | 0.24 | 3.7 | 0.05 | Sep 9, 2020 | The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop… | ||
| CVE-2026-44263 | Med | 0.21 | 4.3 | 0.00 | May 7, 2026 | Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1. | ||
| CVE-2025-46804 | Low | 0.21 | 3.3 | 0.00 | May 26, 2025 | A minor information leak when running Screen with setuid-root privileges allows unprivileged users to deduce information about a path that would otherwise not be available. Affected are older Screen versions, as well as version 5.0.0. | ||
| CVE-2024-27839 | Low | 0.21 | 3.3 | 0.00 | May 14, 2024 | A privacy issue was addressed by moving sensitive data to a more secure location. This issue is fixed in iOS 17.5 and iPadOS 17.5. A malicious application may be able to determine a user's current location. | ||
| CVE-2025-8774 | Low | 0.16 | 2.5 | 0.00 | Aug 9, 2025 | A vulnerability has been found in riscv-boom SonicBOOM up to 2.2.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component L1 Data Cache Handler. The manipulation leads to observable timing discrepancy. Local access is required… | ||
| CVE-2003-0190 | 0.09 | — | 0.77 | May 12, 2003 | OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. | |||
| CVE-2004-1602 | 0.05 | — | 0.31 | Oct 15, 2004 | ProFTPD 1.2.x, including 1.2.8 and 1.2.10, responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response. | |||
| CVE-2003-0078 | 0.04 | — | 0.14 | Mar 3, 2003 | ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely… | |||
| CVE-2001-1528 | 0.04 | — | 0.08 | Dec 31, 2001 | AmTote International homebet program returns different error messages when invalid account numbers and PIN codes are provided, which allows remote attackers to determine the existence of valid account numbers via a brute force attack. | |||
| CVE-2019-10071 | 0.01 | — | 0.09 | Sep 16, 2019 | The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their… | |||
| CVE-2026-47379 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary The shared-view password check fell back to strict-equality (`===`) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. ### Details The bcrypt branch (hashes starting with `$2a$`/`$2b$`) was… |
- risk 0.27cvss 5.3epss 0.00
Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Performing a login request against the /api/v1/user/login endpoint with a username that exist in the system takes significantly longer than…
- risk 0.27cvss 5.3epss 0.00
In veilid-core in Veilid before 0.3.4, the protocol's ping function can be misused in a way that decreases the effectiveness of safety and private routes.
- risk 0.24cvss 3.7epss 0.00
A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results in observable response discrepancy. The attack is possible to be carried out…
- risk 0.24cvss 3.7epss 0.00
The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behavior in newer versions.
- risk 0.24cvss 3.7epss 0.00
A flaw has been found in projectsend up to r1945. This impacts an unknown function of the file includes/Classes/Auth.php. Executing a manipulation of the argument ldap_email can lead to observable response discrepancy. The attack can be executed remotely. A high complexity level…
- risk 0.24cvss 3.7epss 0.01
A weakness has been identified in JhumanJ OpnForm up to 1.9.3. This affects an unknown function of the file /api/password/email of the component Forgotten Password Handler. This manipulation causes information exposure through discrepancy. It is possible to initiate the attack…
- risk 0.24cvss 3.7epss 0.00
A security flaw has been discovered in Portabilis i-Diario up to 1.5.0. Affected by this vulnerability is an unknown functionality of the file /password/email of the component Password Recovery Endpoint. The manipulation results in observable response discrepancy. It is possible…
- risk 0.24cvss 3.7epss 0.00
A vulnerability classified as problematic was found in funnyzpc Mee-Admin up to 1.6. This vulnerability affects unknown code of the file /mee/login of the component Login. The manipulation of the argument username leads to observable response discrepancy. The attack can be…
- risk 0.24cvss 3.7epss 0.00
i2p before 2.3.0 (Java) allows de-anonymizing the public IPv4 and IPv6 addresses of i2p hidden services (aka eepsites) via a correlation attack across the IPv4 and IPv6 addresses that occurs when a tunneled, replayed message has a behavior discrepancy (it may be dropped, or may…
- risk 0.24cvss 3.7epss 0.05
The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop…
- risk 0.21cvss 4.3epss 0.00
Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1.
- risk 0.21cvss 3.3epss 0.00
A minor information leak when running Screen with setuid-root privileges allows unprivileged users to deduce information about a path that would otherwise not be available. Affected are older Screen versions, as well as version 5.0.0.
- risk 0.21cvss 3.3epss 0.00
A privacy issue was addressed by moving sensitive data to a more secure location. This issue is fixed in iOS 17.5 and iPadOS 17.5. A malicious application may be able to determine a user's current location.
- risk 0.16cvss 2.5epss 0.00
A vulnerability has been found in riscv-boom SonicBOOM up to 2.2.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component L1 Data Cache Handler. The manipulation leads to observable timing discrepancy. Local access is required…
- CVE-2003-0190May 12, 2003risk 0.09cvss —epss 0.77
OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
- CVE-2004-1602Oct 15, 2004risk 0.05cvss —epss 0.31
ProFTPD 1.2.x, including 1.2.8 and 1.2.10, responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response.
- CVE-2003-0078Mar 3, 2003risk 0.04cvss —epss 0.14
ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely…
- CVE-2001-1528Dec 31, 2001risk 0.04cvss —epss 0.08
AmTote International homebet program returns different error messages when invalid account numbers and PIN codes are provided, which allows remote attackers to determine the existence of valid account numbers via a brute force attack.
- CVE-2019-10071Sep 16, 2019risk 0.01cvss —epss 0.09
The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their…
- CVE-2026-47379Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary The shared-view password check fell back to strict-equality (`===`) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. ### Details The bcrypt branch (hashes starting with `$2a$`/`$2b$`) was…