Filtered by CWE-203
Filtered by vendor Subscriptions
Total 618 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2021-39021 1 Ibm 1 Guardium Data Encryption 2024-11-21 5.3 Medium
IBM Guardium Data Encryption (GDE) 5.0.0.2 behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which could facilitate username enumeration. IBM X-Force ID: 213856.
CVE-2021-38562 3 Bestpractical, Debian, Fedoraproject 3 Request Tracker, Debian Linux, Fedora 2024-11-21 7.5 High
Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm.
CVE-2021-38476 1 Inhandnetworks 2 Ir615, Ir615 Firmware 2024-11-21 6.5 Medium
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 authentication process response indicates and validates the existence of a username. This may allow an attacker to enumerate different user accounts.
CVE-2021-38209 1 Linux 1 Linux Kernel 2024-11-21 3.3 Low
net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in any net namespace because these changes are leaked into all other net namespaces. This is related to the NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls.
CVE-2021-38153 4 Apache, Oracle, Quarkus and 1 more 15 Kafka, Communications Brm - Elastic Charging Engine, Communications Cloud Native Core Policy and 12 more 2024-11-21 5.9 Medium
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
CVE-2021-38009 3 Debian, Fedoraproject, Google 3 Debian Linux, Fedora, Chrome 2024-11-21 6.5 Medium
Inappropriate implementation in cache in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2021-37968 3 Debian, Fedoraproject, Google 3 Debian Linux, Fedora, Chrome 2024-11-21 4.3 Medium
Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2021-37848 1 Pengutronix 1 Barebox 2024-11-21 7.5 High
common/password.c in Pengutronix barebox through 2021.07.0 leaks timing information because strncmp is used during hash comparison.
CVE-2021-37606 1 Meow Hash Project 1 Meow Hash 2024-11-21 5.3 Medium
Meow hash 0.5/calico does not sufficiently thwart key recovery by an attacker who can query whether there's a collision in the bottom bits of the hashes of two messages, as demonstrated by an attack against a long-running web service that allows the attacker to infer collisions by measuring timing differences.
CVE-2021-37151 1 Cyberark 1 Identity 2024-11-21 5.3 Medium
CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords.
CVE-2021-36201 1 Johnsoncontrols 2 C-cure 9000, C-cure 9000 Firmware 2024-11-21 4.3 Medium
Under certain circumstances a CCURE Portal user could enumerate user accounts in CCURE 9000 version 2.90 and prior versions.
CVE-2021-35603 5 Debian, Fedoraproject, Netapp and 2 more 18 Debian Linux, Fedora, Active Iq Unified Manager and 15 more 2024-11-21 3.7 Low
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2021-35477 3 Debian, Fedoraproject, Linux 3 Debian Linux, Fedora, Linux Kernel 2024-11-21 5.5 Medium
In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value.
CVE-2021-34580 1 Mbconnectline 2 Mbconnect24, Mymbconnect24 2024-11-21 7.5 High
In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts.
CVE-2021-34576 1 Kadenvodomery 2 Picoflux Air, Picoflux Air Firmware 2024-11-21 4.3 Medium
In Kaden PICOFLUX Air in all known versions an information exposure through observable discrepancy exists. This may give sensitive information (water consumption without distinct values) to third parties.
CVE-2021-34575 1 Mbconnectline 2 Mbconnect24, Mymbconnect24 2024-11-21 7.5 High
In MB connect line mymbCONNECT24, mbCONNECT24 in versions <= 2.8.0 an unauthenticated user can enumerate valid users by checking what kind of response the server sends.
CVE-2021-34556 3 Debian, Fedoraproject, Linux 3 Debian Linux, Fedora, Linux Kernel 2024-11-21 5.5 Medium
In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack.
CVE-2021-33880 2 Oracle, Websockets Project 5 Communications Cloud Native Core Policy, Communications Cloud Native Core Security Edge Protection Proxy, Communications Cloud Native Core Service Communication Proxy and 2 more 2024-11-21 5.9 Medium
The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.
CVE-2021-33845 1 Splunk 1 Splunk 2024-11-21 5.3 Medium
The Splunk Enterprise REST API allows enumeration of usernames via the lockout error message. The potential vulnerability impacts Splunk Enterprise instances before 8.1.7 when configured to repress verbose login errors.
CVE-2021-33838 1 Luca-app 1 Luca 2024-11-21 7.5 High
Luca through 1.7.4 on Android allows remote attackers to obtain sensitive information about COVID-19 tracking because requests related to Check-In State occur shortly after requests for Phone Number Registration.