CWE-204 - Observable Response Discrepancy

Read Time:1 Minute, 49 Second

Description

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can be inadvertent (bug) or intentional (design).

Modes of Introduction:

– Architecture and Design

Related Weaknesses

CWE-203

Consequences

Confidentiality, Access Control: Read Application Data, Bypass Protection Mechanism

Potential Mitigations

Phase: Architecture and Design

Description:

Phase: Implementation

Description:

CVE References

CVE-2002-2094
- This, and others, use “..” attacks and monitor error responses, so there is overlap with directory traversal.

CVE-2001-1483
- Enumeration of valid usernames based on inconsistent responses

CVE-2001-1528
- Account number enumeration via inconsistent responses.

CVE-2004-2150
- User enumeration via discrepancies in error messages.

CVE-2005-1650
- User enumeration via discrepancies in error messages.

CVE-2004-0294
- Bulletin Board displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack.

CVE-2004-0243
- Operating System, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods.

CVE-2002-0514
- Product allows remote attackers to determine if a port is being filtered because the response packet TTL is different than the default TTL.

CVE-2002-0515
- Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs.

CVE-2001-1387
- Product may generate different responses than specified by the administrator, possibly leading to an information leak.

CVE-2004-0778
- Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned.

CVE-2004-1428
- FTP server generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames.

InCVE-2002-2094, CWE- 204, Observable Response Discrepancy

Scams Based on Fake Google Emails

Infostealers Dominate as Lumma Stealer Detections Soar by Almost 400%

The AI Fix #30: ChatGPT reveals the devastating truth about Santa (Merry Christmas!)

US and Japan Blame North Korea for $308m Crypto Heist

Spyware Maker NSO Group Found Liable for Hacking WhatsApp

Spyware Maker NSO Group Liable for WhatsApp User Hacks

Major Biometric Data Farming Operation Uncovered

Ransomware Attack Exposes Data of 5.6 Million Ascension Patients

Critical Vulnerabilities Found in WordPress Plugins WPLMS and VibeBP

CWE-204 – Observable Response Discrepancy

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

CWE-669 – Incorrect Resource Transfer Between Spheres

CWE-67 – Improper Handling of Windows Device Names

CWE-670 – Always-Incorrect Control Flow Implementation

CWE-671 – Lack of Administrator Control over Security