Total
626 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13939 | 1 Fractal | 1 String\ | 2025-04-11 | N/A | 7.5 HIGH |
| String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string. As stated in the documentation: "If the lengths of the strings are different, because equals returns false right away the size of the secret string may be leaked (but not its contents)." This is similar to CVE-2020-36829 | |||||
| CVE-2013-1620 | 4 Canonical, Mozilla, Oracle and 1 more | 15 Ubuntu Linux, Network Security Services, Enterprise Manager Ops Center and 12 more | 2025-04-11 | 4.3 MEDIUM | N/A |
| The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. | |||||
| CVE-2022-47952 | 1 Linuxcontainers | 1 Lxc | 2025-04-10 | N/A | 3.3 LOW |
| lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because "Failed to open" often indicates that a file does not exist, whereas "does not refer to a network namespace path" often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that "we will report back to the user that the open() failed but the user has no way of knowing why it failed"; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist. | |||||
| CVE-2022-4499 | 1 Tp-link | 4 Archer C5, Archer C5 Firmware, Tl-wr710n and 1 more | 2025-04-09 | N/A | 7.5 HIGH |
| TP-Link routers, Archer C5 and WR710N-V1, using the latest software, the strcmp function used for checking credentials in httpd, is susceptible to a side-channel attack. By measuring the response time of the httpd process, an attacker could guess each byte of the username and password. | |||||
| CVE-2022-3143 | 1 Redhat | 2 Jboss Enterprise Application Platform, Wildfly Elytron | 2025-04-09 | N/A | 7.4 HIGH |
| wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user. | |||||
| CVE-2022-4543 | 1 Linux | 1 Linux Kernel | 2025-04-08 | N/A | 5.5 MEDIUM |
| A flaw named "EntryBleed" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems. | |||||
| CVE-2025-0361 | 2025-04-08 | N/A | 4.3 MEDIUM | ||
| During an annual penetration test conducted on behalf of Axis Communications, Truesec discovered a flaw in the VAPIX Device Configuration framework that allowed for unauthenticated username enumeration through the VAPIX Device Configuration SSH Management API. | |||||
| CVE-2010-10006 | 1 Jopenid Project | 1 Jopenid | 2025-04-03 | 1.4 LOW | 2.6 LOW |
| A vulnerability, which was classified as problematic, was found in michaelliao jopenid. Affected is the function getAuthentication of the file JOpenId/src/org/expressme/openid/OpenIdManager.java. The manipulation leads to observable timing discrepancy. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.08 is able to address this issue. The name of the patch is c9baaa976b684637f0d5a50268e91846a7a719ab. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218460. | |||||
| CVE-2004-1602 | 1 Proftpd | 1 Proftpd | 2025-04-03 | 5.0 MEDIUM | N/A |
| ProFTPD 1.2.x, including 1.2.8 and 1.2.10, responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response. | |||||
| CVE-2004-0243 | 1 Ibm | 1 Aix | 2025-04-03 | 5.0 MEDIUM | N/A |
| AIX 4.3.3 through AIX 5.1, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods. | |||||
| CVE-2004-2252 | 1 Sophos | 1 Astaro Security Linux | 2025-04-03 | 5.0 MEDIUM | N/A |
| The firewall in Astaro Security Linux before 4.024 sends responses to SYN-FIN packets, which makes it easier for remote attackers to obtain information about the system and construct specialized attacks. | |||||
| CVE-2004-1428 | 1 Argosoft | 1 Ftp Server | 2025-04-03 | 5.0 MEDIUM | N/A |
| ArGoSoft FTP before 1.4.2.1 generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames. | |||||
| CVE-2003-0078 | 3 Freebsd, Openbsd, Openssl | 3 Freebsd, Openbsd, Openssl | 2025-04-03 | 5.0 MEDIUM | N/A |
| ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack." | |||||
| CVE-2002-0514 | 1 Openbsd | 1 Openbsd | 2025-04-03 | 5.0 MEDIUM | N/A |
| PF in OpenBSD 3.0 with the return-rst rule sets the TTL to 128 in the RST packet, which allows remote attackers to determine if a port is being filtered because the TTL is different than the default TTL. | |||||
| CVE-2003-0637 | 1 Novell | 1 Ichain | 2025-04-03 | 5.0 MEDIUM | N/A |
| Novell iChain 2.2 before Support Pack 1 uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing. | |||||
| CVE-2002-0208 | 1 Network.associates | 1 Pgpfire | 2025-04-03 | 5.0 MEDIUM | N/A |
| PGP Security PGPfire 7.1 for Windows alters the system's TCP/IP stack and modifies packets in ICMP error messages in a way that allows remote attackers to determine that the system is running PGPfire. | |||||
| CVE-2004-2150 | 1 Nettica | 1 Intellipeer Email Server | 2025-04-03 | 5.0 MEDIUM | N/A |
| Nettica Corporation INTELLIPEER Email Server 1.01 displays different error messages for valid and invalid account names, which allows remote attackers to determine valid account names. | |||||
| CVE-2003-0190 | 3 Openbsd, Openpkg, Siemens | 6 Openssh, Openpkg, Scalance X204rna and 3 more | 2025-04-03 | 5.0 MEDIUM | N/A |
| OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. | |||||
| CVE-2001-1528 | 1 Amtote | 1 Homebet | 2025-04-03 | 5.0 MEDIUM | N/A |
| AmTote International homebet program returns different error messages when invalid account numbers and PIN codes are provided, which allows remote attackers to determine the existence of valid account numbers via a brute force attack. | |||||
| CVE-2002-0515 | 1 Phildev | 1 Ipfilter | 2025-04-03 | 5.0 MEDIUM | N/A |
| IPFilter 3.4.25 and earlier sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs. | |||||