目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-203 通过差异性导致的信息暴露 类漏洞列表 130

CWE-203 通过差异性导致的信息暴露 类弱点 130 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-203 属于可观察差异漏洞,指产品在不同情境下表现出可被未授权方察觉的差异行为或响应。攻击者常利用此特性进行侧信道分析,通过对比响应时间、错误信息或状态码,推断系统内部逻辑、验证用户身份或探测敏感数据。开发者应避免暴露细微差异,确保对合法与非法请求返回一致的错误提示和响应格式,并统一处理逻辑,从而消除可用于信息泄露的观测线索。

MITRE CWE 官方描述
CWE:CWE-203 Observable Discrepancy 英文:The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor. 译文:CWE:CWE-203 可观察差异 英文:产品在不同情况下表现出不同的行为或发送不同的响应,且这种差异对未授权实体是可观察的。
常见影响 (2)
Confidentiality, Access ControlRead Application Data, Bypass Protection Mechanism
An attacker can gain access to sensitive information about the system, including authentication information that may allow an attacker to gain access to the system. Other security-relevant information about the operation or internal state of the product may be revealed to an unauthorized actor, such…
ConfidentialityRead Application Data
In some cases, discrepancies can be used by attackers to form a side channel. When cryptographic primitives are vulnerable to side-channel attacks, this could be used to reveal unencrypted plaintext in the worst case.
缓解措施 (2)
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
代码示例 (2)
The following code checks validity of the supplied username and password and notifies the user of a successful or failed login.
my $username=param('username'); my $password=param('password'); if (IsValidUsername($username) == 1) { if (IsValidPassword($username, $password) == 1) { print "Login Successful"; } else { print "Login Failed - incorrect password"; } } else { print "Login Failed - unknown username"; }
Bad · Perl
"Login Failed - incorrect username or password"
Result
In this example, the attacker observes how long an authentication takes when the user types in the correct password.
def validate_password(actual_pw, typed_pw): if len(actual_pw) <> len(typed_pw): return 0 for i in len(actual_pw): if actual_pw[i] <> typed_pw[i]: return 0 return 1
Bad · Python
CVE ID标题CVSS风险等级Published
CVE-2026-44263 Weblate 截图API私有翻译枚举漏洞 — weblate 4.3 Medium2026-05-07
CVE-2023-5872 WAGO Smart Designer 安全漏洞 — Smart Designer 4.3 Medium2026-04-16
CVE-2026-33429 Parse Server 安全漏洞 — parse-server 3.7 -2026-03-24
CVE-2026-33425 Discourse 安全漏洞 — discourse 5.3 -2026-03-20
CVE-2026-3580 wolfSSL 安全漏洞 — wolfSSL 5.5 -2026-03-19
CVE-2026-3579 wolfSSL 安全漏洞 — wolfSSL 7.5 -2026-03-19
CVE-2026-28490 Authlib 加密问题漏洞 — authlib--2026-03-16
CVE-2026-21386 Mattermost 安全漏洞 — Mattermost 4.3 Medium2026-03-16
CVE-2026-4040 OpenClaw 安全漏洞 — OpenClaw 3.3 Low2026-03-12
CVE-2026-26315 go-ethereum 安全漏洞 — go-ethereum 7.5 -2026-02-19
CVE-2026-23621 GFI MailEssentials AI 安全漏洞 — MailEssentials AI 4.3 Medium2026-02-19
CVE-2026-23620 GFI MailEssentials AI 安全漏洞 — MailEssentials AI 4.3 Medium2026-02-19
CVE-2019-25337 ownCloud 安全漏洞 — OwnCloud 9.8 Critical2026-02-12
CVE-2026-26185 Directus 安全漏洞 — directus 5.3 Medium2026-02-12
CVE-2026-25562 WeKan 安全漏洞 — WeKan 5.3AIMediumAI2026-02-07
CVE-2026-21484 AnythingLLM 安全漏洞 — anything-llm 5.3 Medium2026-01-03
CVE-2022-50800 H3C SSL VPN 安全漏洞 — H3C SSL VPN 7.5 High2025-12-30
CVE-2023-53943 GLPI 安全漏洞 — GLPI 5.3 Medium2025-12-18
CVE-2025-68164 JetBrains TeamCity 安全漏洞 — TeamCity 2.7 Low2025-12-16
CVE-2025-13912 wolfSSL 安全漏洞 — wolfSSL 2.9AILowAI2025-12-11
CVE-2020-36888 SpinetiX Fusion Digital Signage 安全漏洞 — Fusion Digital Signage 5.3AIMediumAI2025-12-10
CVE-2025-39665 NagVis 安全漏洞 — Nagvis 5.3AIMediumAI2025-12-03
CVE-2025-11932 wolfSSL 安全漏洞 — wolfSSL 5.9 -2025-11-21
CVE-2025-12888 wolfSSL 安全漏洞 — wolfSSL 5.9 -2025-11-21
CVE-2025-64749 Directus 安全漏洞 — directus 4.3 Medium2025-11-13
CVE-2025-11145 CBK Soft EnVision 安全漏洞 — enVision 7.5 High2025-10-24
CVE-2025-36225 IBM Aspera 安全漏洞 — Aspera Faspex 4.3 Medium2025-10-09
CVE-2025-11443 OpnForm 安全漏洞 — OpnForm 3.7 Low2025-10-08
CVE-2025-54477 Joomla! CMS 安全漏洞 — Joomla! CMS 5.3AIMediumAI2025-09-30
CVE-2025-41252 VMware Cloud Foundation和VMware NSX 安全漏洞 — NSX 7.5 High2025-09-29

CWE-203(通过差异性导致的信息暴露) 是常见的弱点类别,本平台收录该类弱点关联的 130 条 CVE 漏洞。