Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CWE-208 (通过时间差异性导致的信息暴露) — Vulnerability Class 116

116 vulnerabilities classified as CWE-208 (通过时间差异性导致的信息暴露). AI Chinese analysis included.

CWE-208 represents an information leakage weakness where an application’s response time varies based on internal state, inadvertently revealing sensitive data to external observers. Attackers typically exploit this by measuring the duration of operations, such as login attempts or database queries, to infer the existence of valid usernames or correct password characters. By analyzing these subtle timing differences, adversaries can bypass authentication mechanisms or extract confidential information without direct access. To mitigate this risk, developers must ensure that all security-critical operations take a constant amount of time, regardless of the outcome. This involves implementing uniform error handling, using constant-time comparison algorithms for secrets, and avoiding early returns that expose processing stages. By standardizing execution duration, applications prevent attackers from leveraging timing discrepancies to gain unauthorized insights into system states or credentials.

MITRE CWE Description
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product's internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel.
Common Consequences (1)
Confidentiality, Access ControlRead Application Data, Bypass Protection Mechanism
Examples (2)
Consider an example hardware module that checks a user-provided password to grant access to a user. The user-provided password is compared against a golden value in a byte-by-byte manner.
always_comb @ (posedge clk) begin assign check_pass[3:0] = 4'b0; for (i = 0; i < 4; i++) begin if (entered_pass[(i*8 - 1) : i] eq golden_pass([i*8 - 1) : i]) assign check_pass[i] = 1; continue; else assign check_pass[i] = 0; break; end assign grant_access = (check_pass == 4'b1111) ? 1'b1: 1'b0; end
Bad · Verilog
always_comb @ (posedge clk) begin assign check_pass[3:0] = 4'b0; for (i = 0; i < 4; i++) begin if (entered_pass[(i*8 - 1) : i] eq golden_pass([i*8 -1) : i]) assign check_pass[i] = 1; continue; else assign check_pass[i] = 0; continue; end assign grant_access = (check_pass == 4'b1111) ? 1'b1: 1'b0; end
Good · Verilog
In this example, the attacker observes how long an authentication takes when the user types in the correct password.
def validate_password(actual_pw, typed_pw): if len(actual_pw) <> len(typed_pw): return 0 for i in len(actual_pw): if actual_pw[i] <> typed_pw[i]: return 0 return 1
Bad · Python
CVE IDTitleCVSSSeverityPublished
CVE-2026-54411 Linux-pam 信息泄露漏洞 — Linux-PAM 5.9 Medium2026-06-14
CVE-2017-20240 Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks — Crypt::PBKDF2--2026-06-12
CVE-2026-48011 Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames — shopware 3.7 Low2026-06-10
CVE-2026-48859 SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration — OTP--2026-06-10
CVE-2026-5419 Guntls: gnutls: information disclosure via timing side-channel in pkcs#7 padding removal — Red Hat Enterprise Linux 10 3.7 Low2026-06-01
CVE-2026-5091 Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks — Catalyst::Plugin::Authentication--2026-05-21
CVE-2026-44061 DES-ECB auth with timing side channel — Netatalk 5.9 Medium2026-05-21
CVE-2026-47373 Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks — Crypt::SaltedHash--2026-05-20
CVE-2026-47784 Memcached 安全漏洞 — memcached 8.1 High2026-05-20
CVE-2026-47783 Memcached 安全漏洞 — memcached 8.1 High2026-05-20
CVE-2026-44368 PyQuorum: Timing side‑channel in mul_mod — pyquorum--2026-05-13
CVE-2026-42602 azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay — opentelemetry-collector-contrib 8.1 High2026-05-13
CVE-2026-43514 Apache Tomcat: AJP secret compared in non-constant time — Apache Tomcat--2026-05-12
CVE-2026-41588 RELATE: Timing Attack Vulnerability in course/auth.py — check_sign_in_key() — relate 9.0 Critical2026-05-08
CVE-2026-41161 Username Enumeration via Timing Attack — server 5.3AIMediumAI2026-05-08
CVE-2026-33006 Apache HTTP Server: mod_auth_digest timing attack — Apache HTTP Server 8.1 -2026-05-04
CVE-2026-41263 Traefik: BasicAuth middleware: timing side-channel vulnerability — traefik 3.7 -2026-04-30
CVE-2026-41407 OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison — OpenClaw 3.7 Low2026-04-28
CVE-2026-40972 VMware Spring Boot 安全漏洞 — Spring Boot 7.5 High2026-04-27
CVE-2026-41244 Mojic: Observable Timing Discrepancy in HMAC Verification — mojic 4.7 Medium2026-04-24
CVE-2026-41418 4ga Boards: User Enumeration via Timing Side-Channel in Authentication Endpoint — 4gaBoards 5.3 Medium2026-04-24
CVE-2026-40263 Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel — note-mark 3.7 Low2026-04-16
CVE-2026-33877 ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint — apostrophe 3.7 Low2026-04-15
CVE-2026-5086 Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks — Crypt::SecretBuffer 5.9 -2026-04-13
CVE-2026-40194 phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals() — phpseclib 3.7 Low2026-04-10
CVE-2026-39321 Parse Server has a login timing side-channel reveals user existence — parse-server 4.8AIMediumAI2026-04-07
CVE-2026-32595 Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration — traefik 3.7 -2026-03-20
CVE-2026-33129 h3 has an observable timing discrepancy in basic auth utils — h3 5.9 Medium2026-03-20
CVE-2026-32935 phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack — phpseclib 5.9 -2026-03-20
CVE-2026-32702 Cleanuparr has Username Enumeration via Timing Attack — Cleanuparr 3.7AILowAI2026-03-13

Vulnerabilities classified as CWE-208 (通过时间差异性导致的信息暴露) represent 116 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.