VYPR

CWE-208

Observable Timing Discrepancy

BaseIncomplete

Description

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product's internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-462 · CAPEC-541 · CAPEC-580

CVEs mapped to this weakness (121)

page 5 of 7
  • CVE-2024-21671Jan 30, 2024
    risk 0.00cvss epss 0.00

    The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. …

  • CVE-2024-23342Jan 22, 2024
    risk 0.00cvss epss 0.01

    The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and…

  • CVE-2023-20902Nov 9, 2023
    risk 0.00cvss epss 0.00

    A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,  Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to create jobs/stop job tasks and retrieve job task information.

  • CVE-2015-20110Oct 31, 2023
    risk 0.00cvss epss 0.01

    JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course…

  • CVE-2023-46660Oct 25, 2023
    risk 0.00cvss epss 0.00

    Jenkins Zanata Plugin 0.6 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token hashes are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2023-46658Oct 25, 2023
    risk 0.00cvss epss 0.01

    Jenkins MSTeams Webhook Trigger Plugin 0.1.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2023-46657Oct 25, 2023
    risk 0.00cvss epss 0.01

    Jenkins Gogs Plugin 1.0.15 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2023-46656Oct 25, 2023
    risk 0.00cvss epss 0.01

    Jenkins Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2021-34337Apr 15, 2023
    risk 0.00cvss epss 0.00

    An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the…

  • CVE-2023-25000Mar 30, 2023
    risk 0.00cvss epss 0.00

    HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the…

  • CVE-2023-1538Mar 21, 2023
    risk 0.00cvss epss 0.01

    Observable Timing Discrepancy in GitHub repository answerdev/answer prior to 1.0.6.

  • CVE-2023-25806Mar 2, 2023
    risk 0.00cvss epss 0.00

    OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls…

  • CVE-2010-10006Jan 17, 2023
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as problematic, was found in michaelliao jopenid. Affected is the function getAuthentication of the file JOpenId/src/org/expressme/openid/OpenIdManager.java. The manipulation leads to observable timing discrepancy. The complexity of an…

  • CVE-2022-3143Jan 11, 2023
    risk 0.00cvss epss 0.01

    wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use…

  • CVE-2016-15015Jan 8, 2023
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as problematic, was found in viafintech Barzahlen Payment Module PHP SDK up to 2.0.0. Affected is the function verify of the file src/Webhook.php. The manipulation leads to observable timing discrepancy. The complexity of an attack is rather…

  • CVE-2014-125055Jan 7, 2023
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as problematic, was found in agnivade easy-scrypt. Affected is the function VerifyPassphrase of the file scrypt.go. The manipulation leads to observable timing discrepancy. The complexity of an attack is rather high. The exploitability is…

  • CVE-2021-4294Dec 28, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was found in OpenShift OSIN. It has been classified as problematic. This affects the function ClientSecretMatches/CheckClientSecret. The manipulation of the argument secret leads to observable timing discrepancy. The name of the patch is…

  • CVE-2022-43411Oct 19, 2022
    risk 0.00cvss epss 0.01

    Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2022-43412Oct 19, 2022
    risk 0.00cvss epss 0.01

    Jenkins Generic Webhook Trigger Plugin 1.84.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2022-24912Jul 29, 2022
    risk 0.00cvss epss 0.01

    The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover…