CWE-203— Observable Discrepancy (Information Exposure via Side Channel)
724 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-203page 7 of 15
- CVE-2021-46744MEDIUMCVSS 6.5EG 6.52022-05-11
An attacker with access to a malicious hypervisor may be able to infer data values used in a SEV guest on AMD CPUs by monitoring ciphertext values over time.
- CVE-2021-46778MEDIUMCVSS 5.6EG 7.52022-08-10
Execution unit scheduler contention may lead to a side channel vulnerability found on AMD CPU microarchitectures codenamed “Zen 1”, “Zen 2” and “Zen 3” that use simultaneous multithreading (SMT). By measuring the contention lev…
- CVE-2021-46876MEDIUMCVSS 5.3EG 5.32023-03-12
An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. The /user/sessions endpoint can be abused to determine account existence.
- CVE-2021-47226HIGHCVSS 7.1EG 7.12024-05-21
In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Invalidate FPU state after a failed XRSTOR from a user buffer Both Intel and AMD consider it to be architecturally valid for XRSTOR to fail with #PF but nonethe…
- CVE-2021-47664MEDIUMCVSS 5.3EG 5.32025-04-24
Due to improper authentication mechanism an unauthenticated remote attacker can enumerate valid usernames.
- CVE-2022-0564MEDIUMCVSS 5.3EG 5.32022-02-21
A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authentication requests to an affected system. A successful explo…
- CVE-2022-0569MEDIUMCVSS 5.3EG 5.32022-02-14
Observable Discrepancy in Packagist snipe/snipe-it prior to v5.3.9.
- CVE-2022-0823MEDIUMCVSS 6.2EG 6.22022-06-09
An improper control of interaction frequency vulnerability in Zyxel GS1200 series switches could allow a local attacker to guess the password by using a timing side-channel attack.
- CVE-2022-1139MEDIUMCVSS 6.5EG 6.52022-07-23
Inappropriate implementation in Background Fetch API in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- CVE-2022-1146MEDIUMCVSS 6.5EG 6.52022-07-23
Inappropriate implementation in Resource Timing in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- CVE-2022-1318MEDIUMCVSS 6.2EG 5.52022-04-20
Hills ComNav version 3002-19 suffers from a weak communication channel. Traffic across the local network for the configuration pages can be viewed by a malicious actor. The size of certain communications packets are predictable. This would…
- CVE-2022-1989MEDIUMCVSS 5.3EG 5.32022-08-23
All CODESYS Visualization versions before V4.2.0.0 generate a login dialog vulnerable to information exposure allowing a remote, unauthenticated attacker to enumerate valid users.
- CVE-2022-20242MEDIUMCVSS 5.5EG 5.52022-08-11
In Telephony, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges …
- CVE-2022-20249LOWCVSS 3.3EG 3.32022-08-11
In LocaleManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privile…
- CVE-2022-20251LOWCVSS 3.3EG 3.32022-08-11
In LocaleManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privile…
- CVE-2022-20252LOWCVSS 3.3EG 3.32022-08-11
In PackageManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privil…
- CVE-2022-20264MEDIUMCVSS 5.5EG 5.52023-10-30
In Usage Stats Service, there is a possible way to determine whether an app is installed, without query permissions due to side channel information disclosure. This could lead to local information disclosure with no additional execution pr…
- CVE-2022-20275MEDIUMCVSS 5.5EG 5.52022-08-12
In DevicePolicyManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution p…
- CVE-2022-20276MEDIUMCVSS 5.5EG 5.52022-08-12
In DevicePolicyManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution p…
- CVE-2022-20277MEDIUMCVSS 5.5EG 5.52022-08-12
In DevicePolicyManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution p…
- CVE-2022-20279MEDIUMCVSS 5.5EG 5.52022-08-12
In DevicePolicyManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution p…
- CVE-2022-20291MEDIUMCVSS 5.5EG 5.52022-08-12
In AppOpsService, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privile…
- CVE-2022-20293MEDIUMCVSS 5.5EG 5.52022-08-12
In LauncherApps, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileg…
- CVE-2022-20304MEDIUMCVSS 5.5EG 5.52022-08-12
In Content, there is a possible way to determinate the user's account due to side channel information disclosure. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exp…
- CVE-2022-20307LOWCVSS 3.3EG 3.32022-08-12
In AlarmManagerService, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution p…
- CVE-2022-20309LOWCVSS 3.3EG 3.32022-08-12
In PackageInstaller, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution priv…
- CVE-2022-20316LOWCVSS 3.3EG 3.32022-08-12
In ContentResolver, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privi…
- CVE-2022-20318LOWCVSS 3.3EG 3.32022-08-12
In PackageInstaller, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution priv…
- CVE-2022-20320LOWCVSS 3.3EG 3.32022-08-12
In ActivityManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privi…
- CVE-2022-20324MEDIUMCVSS 5.5EG 5.52022-08-12
In Framework, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges …
- CVE-2022-20531MEDIUMCVSS 5.5EG 3.32022-12-16
In Telecom, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges ne…
- CVE-2022-20535LOWCVSS 3.3EG 3.32022-12-16
In registerLocalOnlyHotspotSoftApCallback of WifiManager.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information di…
- CVE-2022-20538MEDIUMCVSS 5.5EG 5.52022-12-16
In getSmsRoleHolder of RoleService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no addit…
- CVE-2022-20559LOWCVSS 3.3EG 3.32022-12-16
In revokeOwnPermissionsOnKill of PermissionManager.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosu…
- CVE-2022-20752MEDIUMCVSS 5.3EG 5.32022-07-06
A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to perform a…
- CVE-2022-20866HIGHCVSS 7.4EG 7.52022-08-10
A vulnerability in the handling of RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve an RSA private ke…
- CVE-2022-20940MEDIUMCVSS 5.3EG 5.32022-11-15
A vulnerability in the TLS handler of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to gain access to sensitive information. This vulnerability is due to improper implementation of counter…
- CVE-2022-21659MEDIUMCVSS 5.3EG 5.32022-01-31
Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate exis…
- CVE-2022-22120MEDIUMCVSS 5.3EG 5.32022-01-10
In NocoDB, versions 0.9 to 0.83.8 are vulnerable to Observable Discrepancy in the password-reset feature. When requesting a password reset for a given email address, the application displays an error message when the email isn't registered…
- CVE-2022-22356MEDIUMCVSS 6.5EG 6.52022-04-05
IBM MQ Appliance 9.2 CD and 9.2 LTS could allow an attacker to enumerate account credentials due to an observable discrepancy in valid and invalid login attempts. IBM X-Force ID: 220487.
- CVE-2022-23106MEDIUMCVSS 5.3EG 5.32022-01-12
Jenkins Configuration as Code Plugin 1.55 and earlier used a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.
- CVE-2022-23303CRITICALCVSS 9.8EG 9.82022-01-17
The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9494.
- CVE-2022-23304CRITICALCVSS 9.8EG 9.82022-01-17
The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side-channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9495.
- CVE-2022-23643MEDIUMCVSS 6.5EG 6.52022-02-15
Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an …
- CVE-2022-23823MEDIUMCVSS 6.5EG 6.52022-06-15
A potential vulnerability in some AMD processors using frequency scaling may allow an authenticated attacker to execute a timing attack to potentially enable information disclosure.
- CVE-2022-24032MEDIUMCVSS 5.3EG 5.32022-01-30
Adenza AxiomSL ControllerView through 10.8.1 is vulnerable to user enumeration. An attacker can identify valid usernames on the platform because a failed login attempt produces a different error message when the username is valid.
- CVE-2022-24043MEDIUMCVSS 5.3EG 5.32022-05-20
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The logi…
- CVE-2022-24436MEDIUMCVSS 6.5EG 6.52022-06-15
Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access.
- CVE-2022-24695MEDIUMCVSS 4.3EG 4.32023-06-02
Bluetooth Classic in Bluetooth Core Specification through 5.3 does not properly conceal device information for Bluetooth transceivers in Non-Discoverable mode. By conducting an efficient over-the-air attack, an attacker can fully extract t…
- CVE-2022-24784LOWCVSS 3.7EG 3.72022-03-25
Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. …
Map vulnerabilities like CWE-203 to your infrastructure
EchelonGraph correlates every CVE — across CWE-203 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →