Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-208 (通过时间差异性导致的信息暴露) — Vulnerability Class 103

103 vulnerabilities classified as CWE-208 (通过时间差异性导致的信息暴露). AI Chinese analysis included.

CWE-208 represents an information leakage weakness where an application’s response time varies based on internal state, inadvertently revealing sensitive data to external observers. Attackers typically exploit this by measuring the duration of operations, such as login attempts or database queries, to infer the existence of valid usernames or correct password characters. By analyzing these subtle timing differences, adversaries can bypass authentication mechanisms or extract confidential information without direct access. To mitigate this risk, developers must ensure that all security-critical operations take a constant amount of time, regardless of the outcome. This involves implementing uniform error handling, using constant-time comparison algorithms for secrets, and avoiding early returns that expose processing stages. By standardizing execution duration, applications prevent attackers from leveraging timing discrepancies to gain unauthorized insights into system states or credentials.

MITRE CWE Description
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product's internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel.
Common Consequences (1)
Confidentiality, Access ControlRead Application Data, Bypass Protection Mechanism
Examples (2)
Consider an example hardware module that checks a user-provided password to grant access to a user. The user-provided password is compared against a golden value in a byte-by-byte manner.
always_comb @ (posedge clk) begin assign check_pass[3:0] = 4'b0; for (i = 0; i < 4; i++) begin if (entered_pass[(i*8 - 1) : i] eq golden_pass([i*8 - 1) : i]) assign check_pass[i] = 1; continue; else assign check_pass[i] = 0; break; end assign grant_access = (check_pass == 4'b1111) ? 1'b1: 1'b0; end
Bad · Verilog
always_comb @ (posedge clk) begin assign check_pass[3:0] = 4'b0; for (i = 0; i < 4; i++) begin if (entered_pass[(i*8 - 1) : i] eq golden_pass([i*8 -1) : i]) assign check_pass[i] = 1; continue; else assign check_pass[i] = 0; continue; end assign grant_access = (check_pass == 4'b1111) ? 1'b1: 1'b0; end
Good · Verilog
In this example, the attacker observes how long an authentication takes when the user types in the correct password.
def validate_password(actual_pw, typed_pw): if len(actual_pw) <> len(typed_pw): return 0 for i in len(actual_pw): if actual_pw[i] <> typed_pw[i]: return 0 return 1
Bad · Python
CVE IDTitleCVSSSeverityPublished
CVE-2025-54499 Insecure string comparison enables timing attacks — Mattermost 3.1 Low2025-10-16
CVE-2025-9031 Timing-Based Username Enumeration in DivvyDrive Information Technologies' DivvyDrive Web — DivvyDrive Web 4.3 Medium2025-09-24
CVE-2025-59432 Timing Attack Vulnerability in SCRAM Authentication — scram 5.9AIMediumAI2025-09-22
CVE-2025-59350 Timing attacks against Proxy’s basic authentication are possible — dragonfly 5.9AIMediumAI2025-09-17
CVE-2025-59058 httpsig-rs's HMAC verification is vulnerable to timing attack — httpsig-rs 5.9 Medium2025-09-12
CVE-2025-7383 Timing side-channel vulnerability in AES-CBC decryption with PKCS#7 padding in Oberon PSA Crypto library — Oberon PSA Crypto 5.9 -2025-08-29
CVE-2025-7071 Timing side-channel vulnerability in AES-CBC decryption with PKCS#7 padding in ocrypto library — ocrypto 7.5 -2025-08-29
CVE-2025-43754 Liferay Portal和Liferay DXP 安全漏洞 — Portal 7.5AIHighAI2025-08-21
CVE-2025-8774 riscv-boom SonicBOOM L1 Data Cache timing discrepancy — SonicBOOM 2.5 Low2025-08-09
CVE-2025-53940 Quiet uses insecure, inconsistent verification on local backend token — quiet 3.7 -2025-07-24
CVE-2025-48995 SignXML's signature verification with HMAC is vulnerable to a timing attack — signxml 5.9AIMediumAI2025-06-02
CVE-2025-46570 vLLM’s Chunk-Based Prefix Caching Vulnerable to Potential Timing Side-Channel — vllm 2.6 Low2025-05-29
CVE-2025-27936 Webhook Secret Exposure via Timing attack in MSteams plugin — Mattermost 5.3 Medium2025-04-16
CVE-2024-36469 User enumeration via timing attack in Zabbix web interface — Zabbix 9.4AICriticalAI2025-04-02
CVE-2024-13939 String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string — String::Compare::ConstantTime 3.7 -2025-03-28
CVE-2025-30344 OpenSlides 安全漏洞 — OpenSlides 5.3 Medium2025-03-21
CVE-2024-22340 IBM Common Cryptographic Architecture information disclosure — Common Cryptographic Architecture 6.5 Medium2025-03-11
CVE-2024-23953 Apache Hive: Timing Attack Against Signature in LLAP util — Apache Hive 6.5 -2025-01-28
CVE-2024-56738 GNU GRUB 安全漏洞 — GRUB2 7.5 -2024-12-29
CVE-2024-52307 authentik allows a timing attack due to missing constant time comparison for metrics view — authentik 9.1AICriticalAI2024-11-21
CVE-2024-41741 IBM TXSeries for Multiplatforms information disclosure — TXSeries for Multiplatforms 5.3 Medium2024-11-01
CVE-2024-7010 Timing Attack in mudler/localai — mudler/localai 5.9AIMediumAI2024-10-29
CVE-2024-47178 basic-auth-connect's callback uses time unsafe string comparison — basic-auth-connect 3.7 -2024-09-30
CVE-2024-45052 Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability — fides 5.3 Medium2024-09-04
CVE-2024-1543 AES T-Table sub-cache-line leakage — wolfSSL 4.1 Medium2024-08-29
CVE-2024-42368 open-telemetry has an Observable Timing Discrepancy — opentelemetry-collector-contrib 6.5 Medium2024-08-13
CVE-2024-29995 Windows Kerberos Elevation of Privilege Vulnerability — Windows 10 Version 1809 8.1 High2024-08-13
CVE-2024-41828 JetBrains TeamCity 安全漏洞 — TeamCity 2.6 Low2024-07-22
CVE-2024-40640 Usage of non-constant time base64 decoder could lead to leakage of secret key material in vodozemac — vodozemac 2.9 Low2024-07-17
CVE-2024-36405 Control-flow timing leak in Kyber reference implementation when compiled with Clang 15-18 for -Os, -O1 and other options — liboqs 5.9 Medium2024-06-10

Vulnerabilities classified as CWE-208 (通过时间差异性导致的信息暴露) represent 103 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.