Filtered by CWE-203
Total 675 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-37459 1 Amperecomputing 4 Ampere Altra, Ampere Altra Firmware, Ampere Altra Max and 1 more 2024-11-21 7.8 High
Ampere Altra devices before 1.08g and Ampere Altra Max devices before 2.05a allow attackers to control the predictions for return addresses and potentially hijack code flow to execute arbitrary code via a side-channel attack, aka a "Retbleed" issue.
CVE-2022-37146 1 Plextrac 1 Plextrac 2024-11-21 5.3 Medium
The PlexTrac platform prior to version 1.28.0 allows for username enumeration via HTTP response times on invalid login attempts for users configured to use the PlexTrac authentication provider. Login attempts for valid, unlocked users configured to use PlexTrac as their authentication provider take significantly longer than those for invalid users, allowing for valid users to be enumerated by an unauthenticated remote attacker. Note that the lockout policy implemented in Plextrac version 1.17.0 makes it impossible to distinguish between valid, locked user accounts and user accounts that do not exist, but does not prevent valid, unlocked users from being enumerated.
CVE-2022-36885 2 Jenkins, Redhat 2 Github, Openshift 2024-11-21 5.3 Medium
Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.
CVE-2022-34174 2 Jenkins, Redhat 2 Jenkins, Openshift 2024-11-21 7.5 High
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.
CVE-2022-32425 1 Mealie 1 Mealie 2024-11-21 5.3 Medium
The login function of Mealie v1.0.0beta-2 allows attackers to enumerate existing usernames by timing the server's response time.
CVE-2022-32273 1 Opswat 1 Metadefender 2024-11-21 4.3 Medium
As a result of an observable discrepancy in returned messages, OPSWAT MetaDefender Core (MDCore) before 5.1.2 could allow an authenticated user to enumerate filenames on the server.
CVE-2022-30332 1 Talend 1 Administration Center 2024-11-21 5.3 Medium
In Talend Administration Center 7.3.1.20200219 before TAC-15950, the Forgot Password feature provides different error messages for invalid reset attempts depending on whether the email address is associated with any account. This allows remote attackers to enumerate accounts via a series of requests.
CVE-2022-2891 1 Wpwhitesecurity 1 Wp 2fa 2024-11-21 5.9 Medium
The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don't mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared.
CVE-2022-2612 2 Fedoraproject, Google 2 Fedora, Chrome 2024-11-21 6.5 Medium
Side-channel information leakage in Keyboard input in Google Chrome prior to 104.0.5112.79 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.
CVE-2022-27814 1 Waycrate 1 Swhkd 2024-11-21 3.3 Low
SWHKD 1.1.5 allows arbitrary file-existence tests via the -c option.
CVE-2022-24912 1 Runatlantis 1 Atlantis 2024-11-21 7.5 High
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.
CVE-2022-24043 1 Siemens 8 Desigo Dxr2, Desigo Dxr2 Firmware, Desigo Pxc3 and 5 more 2024-11-21 5.3 Medium
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The login functionality of the application fails to normalize the response times of login attempts performed with wrong usernames with the ones executed with correct usernames. A remote unauthenticated attacker could exploit this side-channel information to perform a username enumeration attack and identify valid usernames.
CVE-2022-24032 1 Adenza 1 Axiomsl Controllerview 2024-11-21 5.3 Medium
Adenza AxiomSL ControllerView through 10.8.1 is vulnerable to user enumeration. An attacker can identify valid usernames on the platform because a failed login attempt produces a different error message when the username is valid.
CVE-2022-23823 1 Amd 284 A10-9600p, A10-9600p Firmware, A10-9630p and 281 more 2024-11-21 6.5 Medium
A potential vulnerability in some AMD processors using frequency scaling may allow an authenticated attacker to execute a timing attack to potentially enable information disclosure.
CVE-2022-23304 2 Fedoraproject, W1.fi 3 Fedora, Hostapd, Wpa Supplicant 2024-11-21 9.8 Critical
The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side-channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9495.
CVE-2022-23303 3 Fedoraproject, Redhat, W1.fi 4 Fedora, Enterprise Linux, Hostapd and 1 more 2024-11-21 9.8 Critical
The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9494.
CVE-2022-23106 1 Jenkins 1 Configuration As Code 2024-11-21 5.3 Medium
Jenkins Configuration as Code Plugin 1.55 and earlier used a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.
CVE-2022-22356 1 Ibm 1 Mq Appliance 2024-11-21 6.5 Medium
IBM MQ Appliance 9.2 CD and 9.2 LTS could allow an attacker to enumerate account credentials due to an observable discrepancy in valid and invalid login attempts. IBM X-Force ID: 220487.
CVE-2022-22120 1 Xgenecloud 1 Nocodb 2024-11-21 5.3 Medium
In NocoDB, versions 0.9 to 0.83.8 are vulnerable to Observable Discrepancy in the password-reset feature. When requesting a password reset for a given email address, the application displays an error message when the email isn't registered within the system. This allows attackers to enumerate the registered users' email addresses.
CVE-2022-20940 1 Cisco 1 Firepower Threat Defense 2024-11-21 5.3 Medium
A vulnerability in the TLS handler of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to gain access to sensitive information. This vulnerability is due to improper implementation of countermeasures against a Bleichenbacher attack on a device that uses SSL decryption policies. An attacker could exploit this vulnerability by sending crafted TLS messages to an affected device, which would act as an oracle and allow the attacker to carry out a chosen-ciphertext attack. A successful exploit could allow the attacker to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions to the affected device.