CWE-204 Detalhe

CWE-204

Observable Response Discrepancy
Incomplete
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificações para um CWE
Fique informado sobre quaisquer alterações para um CWE específico.
Gerenciar notificações

Nome: Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

Informações Gerais

Modos de Introdução

Architecture and Design : An observable response discrepancy frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. The discrepancy could be inadvertent (bug) or intentional (design).
Implementation : An observable response discrepancy frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. The discrepancy could be inadvertent (bug) or intentional (design).

Plataformas Aplicáveis

Linguagem

Class: Not Language-Specific (Undetermined)

Consequências Comuns

Escopo Impacto Probabilidade
Confidentiality
Access Control		Read Application Data, Bypass Protection Mechanism

Exemplos Observados

Referências Descrição

CVE-2002-2094

This, and others, use ".." attacks and monitor error responses, so there is overlap with directory traversal.

CVE-2001-1483

Enumeration of valid usernames based on inconsistent responses

CVE-2001-1528

Account number enumeration via inconsistent responses.

CVE-2004-2150

User enumeration via discrepancies in error messages.

CVE-2005-1650

User enumeration via discrepancies in error messages.

CVE-2004-0294

Bulletin Board displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack.

CVE-2004-0243

Operating System, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods.

CVE-2002-0514

Product allows remote attackers to determine if a port is being filtered because the response packet TTL is different than the default TTL.

CVE-2002-0515

Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs.

CVE-2001-1387

Product may generate different responses than specified by the administrator, possibly leading to an information leak.

CVE-2004-0778

Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned.

CVE-2004-1428

FTP server generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames.

Mitigações Potenciais

Phases : Architecture and Design
Phases : Implementation

Notas de Mapeamento de Vulnerabilidade

Justificativa : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentário : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Padrões de Ataque Relacionados

CAPEC-ID Nome do Padrão de Ataque
CAPEC-331 ICMP IP Total Length Field Probe
An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.
CAPEC-332 ICMP IP 'ID' Field Error Message Probe
An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.
CAPEC-541 Application Fingerprinting
An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.
CAPEC-580 System Footprinting
An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.

Notas

can overlap errors related to escalated privileges

Referências

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

Submissão

Nome Organização Data Data de lançamento Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modificações

Nome Organização Data Comentário
Eric Dalci Cigital 2008-07-01 +00:00 updated Potential_Mitigations, Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Relationship_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2008-10-14 +00:00 updated Description, Potential_Mitigations
CWE Content Team MITRE 2009-12-28 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2010-09-27 +00:00 updated Description, Name, Observed_Examples
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Demonstrative_Examples, Observed_Examples, References, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms
CWE Content Team MITRE 2020-02-24 +00:00 updated Description, Name, Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2023-01-31 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-04-03 +00:00 updated Description, Diagram, Modes_of_Introduction
CWE Content Team MITRE 2025-12-11 +00:00 updated Weakness_Ordinalities
As informações apresentadas no CVE Find originam-se de várias fontes de referência cuidadosamente selecionadas. Os dados CVE são fornecidos pela MITRE Corporation e pelo National Vulnerability Database (NVD). O catálogo de Vulnerabilidades Conhecidas Exploradas (KEV) é proveniente da Cybersecurity and Infrastructure Security Agency (CISA), enquanto as pontuações EPSS vêm do FIRST.org. Além disso, os dados sobre fraquezas de software (CWE) e padrões de ataque comuns (CAPEC) são mantidos pela MITRE Corporation, e as informações sobre configurações de hardware e software (CPE) são fornecidas pelo NVD.