Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-204 (响应差异性信息暴露) — Vulnerability Class 135

135 vulnerabilities classified as CWE-204 (响应差异性信息暴露). AI Chinese analysis included.

CWE-204, Observable Response Discrepancy, is a design weakness where software systems provide inconsistent or distinct feedback based on internal states, inadvertently leaking sensitive information to unauthorized external actors. Attackers typically exploit this by analyzing variations in response times, error messages, or status codes to infer the existence of specific users, valid input formats, or underlying system configurations. For instance, a login system might return a generic error for invalid usernames but a specific message for invalid passwords, allowing attackers to enumerate valid accounts. To mitigate this risk, developers must ensure uniform response behaviors regardless of the specific internal failure or state. This involves standardizing error messages, normalizing response times, and implementing consistent logging practices that do not expose granular details about the application’s internal logic or data validity to the end user.

MITRE CWE Description
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Common Consequences (1)
Confidentiality, Access ControlRead Application Data, Bypass Protection Mechanism
Mitigations (2)
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
Examples (1)
The following code checks validity of the supplied username and password and notifies the user of a successful or failed login.
my $username=param('username'); my $password=param('password'); if (IsValidUsername($username) == 1) { if (IsValidPassword($username, $password) == 1) { print "Login Successful"; } else { print "Login Failed - incorrect password"; } } else { print "Login Failed - unknown username"; }
Bad · Perl
"Login Failed - incorrect username or password"
Result
CVE IDTitleCVSSSeverityPublished
CVE-2023-1540 Observable Response Discrepancy in answerdev/answer — answerdev/answer 8.2 -2023-03-21
CVE-2022-39228 Observable Response Discrepancy in vantage6 — vantage6 5.3 Medium2023-03-01
CVE-2022-41697 Ghost CMS 安全漏洞 — Ghost 5.3 -2022-12-23
CVE-2022-39315 Kirby CMS vulnerable to user enumeration in the brute force protection — kirby 6.5 Medium2022-10-25
CVE-2021-36201 CCURE Observable Response Discrepancy — C•CURE 9000 4.3 Medium2022-10-11
CVE-2022-22520 User enumeration vulnerability in MB connect line and Helmholz products — mymbCONNECT24 5.3 Medium2022-09-14
CVE-2022-1989 CODESYS Visualization vulnerable to user enumeration — CODESYS Visualization 5.3 Medium2022-08-23
CVE-2022-31248 SUMA user enumeration via weak error message — SUSE Manager Server 4.1 5.3 Medium2022-06-22
CVE-2022-0564 Qlik Sense Enterprise Domain User enumeration — Qlik Sense Enterprise on Windows 5.3 Medium2022-02-21
CVE-2021-20049 Sonicwall SMA100 信息泄露漏洞 — SonicWall SMA100 7.5 -2021-12-23
CVE-2021-34580 Remote user enumeration in mymbCONNECT24, mbCONNECT24 <= 2.9.0 — mymbCONNECT24 7.5 High2021-10-27
CVE-2021-38476 InHand Networks IR615 Router — IR615 Router 6.5 Medium2021-10-19
CVE-2021-39189 Observable Response Discrepancy in Lost Password Service — pimcore 5.3 Medium2021-09-15
CVE-2020-11063 Observable Response Discrepancy in TYPO3 CMS — TYPO3 CMS 3.7 Low2020-05-13
CVE-2016-9499 The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to cross-site scripting. — FTP Server 5.3 -2018-07-13

Vulnerabilities classified as CWE-204 (响应差异性信息暴露) represent 135 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.