目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-203 通过差异性导致的信息暴露 类漏洞列表 133

CWE-203 通过差异性导致的信息暴露 类弱点 133 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-203 属于可观察差异漏洞,指产品在不同情境下表现出可被未授权方察觉的差异行为或响应。攻击者常利用此特性进行侧信道分析,通过对比响应时间、错误信息或状态码,推断系统内部逻辑、验证用户身份或探测敏感数据。开发者应避免暴露细微差异,确保对合法与非法请求返回一致的错误提示和响应格式,并统一处理逻辑,从而消除可用于信息泄露的观测线索。

MITRE CWE 官方描述
CWE:CWE-203 Observable Discrepancy 英文:The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor. 译文:CWE:CWE-203 可观察差异 英文:产品在不同情况下表现出不同的行为或发送不同的响应,且这种差异对未授权实体是可观察的。
常见影响 (2)
Confidentiality, Access ControlRead Application Data, Bypass Protection Mechanism
An attacker can gain access to sensitive information about the system, including authentication information that may allow an attacker to gain access to the system. Other security-relevant information about the operation or internal state of the product may be revealed to an unauthorized actor, such…
ConfidentialityRead Application Data
In some cases, discrepancies can be used by attackers to form a side channel. When cryptographic primitives are vulnerable to side-channel attacks, this could be used to reveal unencrypted plaintext in the worst case.
缓解措施 (2)
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
代码示例 (2)
The following code checks validity of the supplied username and password and notifies the user of a successful or failed login.
my $username=param('username'); my $password=param('password'); if (IsValidUsername($username) == 1) { if (IsValidPassword($username, $password) == 1) { print "Login Successful"; } else { print "Login Failed - incorrect password"; } } else { print "Login Failed - unknown username"; }
Bad · Perl
"Login Failed - incorrect username or password"
Result
In this example, the attacker observes how long an authentication takes when the user types in the correct password.
def validate_password(actual_pw, typed_pw): if len(actual_pw) <> len(typed_pw): return 0 for i in len(actual_pw): if actual_pw[i] <> typed_pw[i]: return 0 return 1
Bad · Python
CVE ID标题CVSS风险等级Published
CVE-2025-11443 OpnForm 安全漏洞 — OpnForm 3.7 Low2025-10-08
CVE-2025-54477 Joomla! CMS 安全漏洞 — Joomla! CMS 5.3AIMediumAI2025-09-30
CVE-2025-41252 VMware Cloud Foundation和VMware NSX 安全漏洞 — NSX 7.5 High2025-09-29
CVE-2025-1396 WSO2 Identity Server 安全漏洞 — WSO2 Identity Server 3.7 Low2025-09-26
CVE-2025-57770 ZITADEL 安全漏洞 — zitadel 5.3 Medium2025-08-22
CVE-2025-43751 Liferay Portal和Liferay DXP 安全漏洞 — Portal 7.5AIHighAI2025-08-22
CVE-2025-43743 Liferay Portal和Liferay DXP 安全漏洞 — Portal 4.3AIMediumAI2025-08-19
CVE-2025-43739 Liferay Portal和Liferay DXP 安全漏洞 — Portal 4.1AIMediumAI2025-08-19
CVE-2025-54999 OpenBao 安全漏洞 — openbao 3.7 Low2025-08-09
CVE-2025-47872 EG4 Electronics EG4 Inverters 安全漏洞 — EG4 12kPV 5.8 Medium2025-08-08
CVE-2025-6011 HashiCorp Vault Community Edition和HashiCorp Vault Enterprise 安全漏洞 — Vault 3.7 Low2025-08-01
CVE-2025-24391 OTRS 安全漏洞 — OTRS 5.3 Medium2025-07-14
CVE-2025-6386 LoLLMs 安全漏洞 — parisneo/lollms 5.9AIMediumAI2025-07-07
CVE-2025-6056 Ergon Informatik AG Airlock IAM 安全漏洞 — Airlock IAM 5.3 -2025-07-04
CVE-2025-40732 Code-Projects Daily Expense Manager 安全漏洞 — Daily Expense Manager 5.3AIMediumAI2025-06-30
CVE-2025-52576 Kanboard 安全漏洞 — kanboard 5.3 Medium2025-06-25
CVE-2024-47057 Mautic 安全漏洞 — Mautic 5.3 Medium2025-05-28
CVE-2025-46804 GNU Screen 安全漏洞 3.3 Low2025-05-26
CVE-2025-23182 UBtech Freepass 安全漏洞 — Freepass 4.3 Medium2025-05-22
CVE-2025-46720 Keystone 安全漏洞 — keystone 3.1 Low2025-05-05
CVE-2021-47664 Franka Emika Robot 安全漏洞 — Franka Emika Robot 5.3 Medium2025-04-24
CVE-2024-11084 Perforce ALM 安全漏洞 — Helix ALM 5.3AIMediumAI2025-04-15
CVE-2025-0361 AXIS OS 安全漏洞 — AXIS OS 4.3 Medium2025-04-08
CVE-2025-31124 ZITADEL 安全漏洞 — zitadel 5.3 Medium2025-03-31
CVE-2024-51477 IBM InfoSphere Information Server 安全漏洞 — InfoSphere Information Server 4.3 Medium2025-03-28
CVE-2025-1468 CODESYS Runtime Toolkit 安全漏洞 — CODESYS Runtime Toolkit 7.5 High2025-03-18
CVE-2025-29780 Post-Quantum Secure Feldman Verifiable Secret Sharing 安全漏洞 — PostQuantum-Feldman-VSS 5.3 -2025-03-14
CVE-2024-41760 IBM Common Cryptographic Architecture 安全漏洞 — Common Cryptographic Architecture 3.7 Low2025-03-11
CVE-2023-37482 Siemens SIMATIC S7-1200和SIMATIC S7-1500 安全漏洞 — SIMATIC Drive Controller CPU 1504D TF 5.3 Medium2025-02-11
CVE-2024-45089 IBM Sterling B2B Integrator 安全漏洞 — Sterling B2B Integrator 4.3 Medium2025-01-31

CWE-203(通过差异性导致的信息暴露) 是常见的弱点类别,本平台收录该类弱点关联的 133 条 CVE 漏洞。