Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-204 (响应差异性信息暴露) — Vulnerability Class 134

134 vulnerabilities classified as CWE-204 (响应差异性信息暴露). AI Chinese analysis included.

CWE-204, Observable Response Discrepancy, is a design weakness where software systems provide inconsistent or distinct feedback based on internal states, inadvertently leaking sensitive information to unauthorized external actors. Attackers typically exploit this by analyzing variations in response times, error messages, or status codes to infer the existence of specific users, valid input formats, or underlying system configurations. For instance, a login system might return a generic error for invalid usernames but a specific message for invalid passwords, allowing attackers to enumerate valid accounts. To mitigate this risk, developers must ensure uniform response behaviors regardless of the specific internal failure or state. This involves standardizing error messages, normalizing response times, and implementing consistent logging practices that do not expose granular details about the application’s internal logic or data validity to the end user.

MITRE CWE Description
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Common Consequences (1)
Confidentiality, Access ControlRead Application Data, Bypass Protection Mechanism
Mitigations (2)
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
Examples (1)
The following code checks validity of the supplied username and password and notifies the user of a successful or failed login.
my $username=param('username'); my $password=param('password'); if (IsValidUsername($username) == 1) { if (IsValidPassword($username, $password) == 1) { print "Login Successful"; } else { print "Login Failed - incorrect password"; } } else { print "Login Failed - unknown username"; }
Bad · Perl
"Login Failed - incorrect username or password"
Result
CVE IDTitleCVSSSeverityPublished
CVE-2024-36996 Information Disclosure of user names — Splunk Enterprise 5.3 Medium2024-07-01
CVE-2024-38322 IBM Storage Defender information disclosure — Storage Defender - Resiliency Service 5.3 Medium2024-06-28
CVE-2024-6056 nasirkhan Laravel Starter Password Reset forgot-password observable response discrepancy — Laravel Starter 3.7 Low2024-06-17
CVE-2024-31870 IBM i information disclosure — i 3.3 Low2024-06-15
CVE-2023-27283 IBM Aspera Orchestrator information disclosure — Aspera Orchestrator 5.3 Medium2024-05-04
CVE-2021-20556 IBM Cognos Controller information disclosure — Cognos Controller 5.3 Medium2024-05-03
CVE-2024-28232 Username Enumeration in CasaOS via bypass of CVE-2024-24766 — CasaOS-UserService 6.2 Medium2024-04-01
CVE-2024-28868 Umbraco possible user enumeration vulnerability — Umbraco-CMS 3.7 Low2024-03-20
CVE-2024-1145 Observable Response Discrepancy at Alma Devklan Blog — Alma Blog 5.3 Medium2024-03-19
CVE-2024-2482 Surya2Developer Hostel Management Service HTTP POST Request check_availability.php observable response discrepancy — Hostel Management Service 3.7 Low2024-03-15
CVE-2023-46170 IBM DS8900F information disclosure — DS8900F 6.5 Medium2024-03-07
CVE-2024-24766 CasaOS Username Enumeration — CasaOS-UserService 6.2 Medium2024-03-06
CVE-2023-38362 IBM CICS TX information disclosure — CICS TX Advanced 5.3 Medium2024-03-04
CVE-2023-50306 IBM Common Licensing information disclosure — Common Licensing 4.0 Medium2024-02-20
CVE-2024-25146 Liferay Portal和Liferay DXP 安全漏洞 — Portal 5.3 Medium2024-02-08
CVE-2023-23584 Gallagher Command Centre 安全漏洞 — Command Centre Server 4.3 Medium2023-12-18
CVE-2023-4095 User enumeration vulnerability in Fujitsu Arconte Áurea — Arconte Áurea 5.3 Medium2023-09-19
CVE-2023-41885 Piccolo's current `BaseUser.login` implementation is vulnerable to time based user enumeration — piccolo 5.3 Medium2023-09-12
CVE-2023-3221 User enumeration vulnerability in Roundcube Password Recovery Plugin — Password Recovery Plugin 5.3 Medium2023-09-04
CVE-2023-40179 Silverware Games vulnerable to account enumeration via inconsistent responses — silverwaregames-io-issue-tracker 5.3 Medium2023-08-25
CVE-2023-39343 Sulu Observable Response Discrepancy on Admin Login — sulu 4.3 Medium2023-08-04
CVE-2023-37217 Tadiran Telecom Aeonix - CWE-204: Observable Response Discrepancy — Telecom Aeonix 5.3 Medium2023-07-30
CVE-2023-35698 SICK ICR890-4 安全漏洞 — ICR890-4 5.3 Medium2023-07-10
CVE-2023-3336 TN-5900 Series User Enumeration Vulnerability — TN-5900 Series 5.3 Medium2023-07-05
CVE-2023-31186 Avaya IX Workforce Engagement - User Enumeration - CWE-204: Observable Response Discrepancy — IX Workforce Engagement 5.3 Medium2023-05-30
CVE-2023-28412 Snap One OvrC Cloud 安全漏洞 — OvrC Cloud 5.3 Medium2023-05-22
CVE-2023-32346 Teltonika Remote Management System 安全漏洞 — Remote Management System 5.3 Medium2023-05-22
CVE-2023-23449 SICK FTMg 安全漏洞 — SICK FTMG-ESD15AXX AIR FLOW SENSOR 5.3 Medium2023-05-15
CVE-2023-27464 Siemens Mendix 安全漏洞 — Mendix Forgot Password (Mendix 7 compatible) 5.3 Medium2023-04-11
CVE-2023-1540 Observable Response Discrepancy in answerdev/answer — answerdev/answer 8.2 -2023-03-21

Vulnerabilities classified as CWE-204 (响应差异性信息暴露) represent 134 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.