Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-203 (通过差异性导致的信息暴露) — Vulnerability Class 130

130 vulnerabilities classified as CWE-203 (通过差异性导致的信息暴露). AI Chinese analysis included.

CWE-203, Observable Discrepancy, is a design weakness where a system’s behavior or responses vary noticeably based on specific conditions, revealing internal state information to unauthorized actors. Attackers typically exploit this by crafting inputs that trigger distinct error messages, timing delays, or response codes, allowing them to infer sensitive data such as user existence or system architecture through side-channel analysis. To mitigate this risk, developers must ensure consistent error handling and response formatting across all execution paths. This involves standardizing error messages, masking internal details, and implementing uniform response times regardless of the underlying cause. By abstracting internal logic and preventing information leakage through observable differences, organizations can significantly reduce the attack surface, ensuring that external interactions remain opaque and do not inadvertently aid adversaries in reconnaissance or exploitation efforts.

MITRE CWE Description
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.
Common Consequences (2)
Confidentiality, Access ControlRead Application Data, Bypass Protection Mechanism
An attacker can gain access to sensitive information about the system, including authentication information that may allow an attacker to gain access to the system. Other security-relevant information about the operation or internal state of the product may be revealed to an unauthorized actor, such…
ConfidentialityRead Application Data
In some cases, discrepancies can be used by attackers to form a side channel. When cryptographic primitives are vulnerable to side-channel attacks, this could be used to reveal unencrypted plaintext in the worst case.
Mitigations (2)
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
Examples (2)
The following code checks validity of the supplied username and password and notifies the user of a successful or failed login.
my $username=param('username'); my $password=param('password'); if (IsValidUsername($username) == 1) { if (IsValidPassword($username, $password) == 1) { print "Login Successful"; } else { print "Login Failed - incorrect password"; } } else { print "Login Failed - unknown username"; }
Bad · Perl
"Login Failed - incorrect username or password"
Result
In this example, the attacker observes how long an authentication takes when the user types in the correct password.
def validate_password(actual_pw, typed_pw): if len(actual_pw) <> len(typed_pw): return 0 for i in len(actual_pw): if actual_pw[i] <> typed_pw[i]: return 0 return 1
Bad · Python
CVE IDTitleCVSSSeverityPublished
CVE-2025-1396 Username Enumeration in Multiple WSO2 Products with Multi-Attribute Login Enabled — WSO2 Identity Server 3.7 Low2025-09-26
CVE-2025-57770 ZITADEL user enumeration vulnerability in login UI — zitadel 5.3 Medium2025-08-22
CVE-2025-43751 Liferay Portal和Liferay DXP 安全漏洞 — Portal 7.5AIHighAI2025-08-22
CVE-2025-43743 Liferay Portal和Liferay DXP 安全漏洞 — Portal 4.3AIMediumAI2025-08-19
CVE-2025-43739 Liferay Portal和Liferay DXP 安全漏洞 — Portal 4.1AIMediumAI2025-08-19
CVE-2025-54999 OpenBao: Timing Side-Channel in Userpass Auth Method — openbao 3.7 Low2025-08-09
CVE-2025-47872 EG4 Electronics EG4 Inverters Observable Discrepancy — EG4 12kPV 5.8 Medium2025-08-08
CVE-2025-6011 Timing Side-Channel in Vault’s Userpass Auth Method — Vault 3.7 Low2025-08-01
CVE-2025-24391 Possible user enumeration — OTRS 5.3 Medium2025-07-14
CVE-2025-6386 Timing Attack Vulnerability in parisneo/lollms — parisneo/lollms 5.9AIMediumAI2025-07-07
CVE-2025-6056 Ergon Informatik AG Airlock IAM 安全漏洞 — Airlock IAM 5.3 -2025-07-04
CVE-2025-40732 User enumeration vulnerability in Daily Expense Manager — Daily Expense Manager 5.3AIMediumAI2025-06-30
CVE-2025-52576 Kanboard vulnerable to Username Enumeration via Login Behavior and Bruteforce Protection Bypass — kanboard 5.3 Medium2025-06-25
CVE-2024-47057 User name enumeration possible due to response time difference on password reset form — Mautic 5.3 Medium2025-05-28
CVE-2025-46804 Screen 5.0.0 and older versions allow file existence tests when installed setuid-root 3.3 Low2025-05-26
CVE-2025-23182 UBtech – CWE-203: Observable Discrepancy — Freepass 4.3 Medium2025-05-22
CVE-2025-46720 Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields — keystone 3.1 Low2025-05-05
CVE-2021-47664 Enumeration of valid user names — Franka Emika Robot 5.3 Medium2025-04-24
CVE-2024-11084 Potential Username Enumeration in Helix ALM — Helix ALM 5.3AIMediumAI2025-04-15
CVE-2025-0361 AXIS OS 安全漏洞 — AXIS OS 4.3 Medium2025-04-08
CVE-2025-31124 Zitadel allows User Enumeration by loginname attribute normalization — zitadel 5.3 Medium2025-03-31
CVE-2024-51477 IBM InfoSphere Information Server information disclosure — InfoSphere Information Server 4.3 Medium2025-03-28
CVE-2025-1468 CODESYS Control V3 - OPC UA Server Authentication bypass — CODESYS Runtime Toolkit 7.5 High2025-03-18
CVE-2025-29780 Post-Quantum Secure Feldman's Verifiable Secret Sharing has Timing Side-Channels in Matrix Operations — PostQuantum-Feldman-VSS 5.3 -2025-03-14
CVE-2024-41760 IBM Common Cryptographic Architecture information disclosure — Common Cryptographic Architecture 3.7 Low2025-03-11
CVE-2023-37482 Siemens SIMATIC S7-1200和SIMATIC S7-1500 安全漏洞 — SIMATIC Drive Controller CPU 1504D TF 5.3 Medium2025-02-11
CVE-2024-45089 IBM Sterling B2B Integrator information disclosure — Sterling B2B Integrator 4.3 Medium2025-01-31
CVE-2025-21336 Windows Cryptographic Information Disclosure Vulnerability — Windows 10 Version 1507 5.6 Medium2025-01-14
CVE-2024-54002 Dependency-Track allows enumeration of managed users via /api/v1/user/login endpoint — dependency-track 5.3 Medium2024-12-04
CVE-2020-26062 Cisco Integrated Management Controller Username Enumeration Vulnerability — Cisco Unified Computing System (Managed) 5.3 Medium2024-11-18

Vulnerabilities classified as CWE-203 (通过差异性导致的信息暴露) represent 130 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.