Vulnerabilities > Information Exposure Through Discrepancy
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-09 | CVE-2024-2408 | Information Exposure Through Discrepancy vulnerability in multiple products The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). | 5.9 |
| 2024-06-07 | CVE-2024-31878 | Information Exposure Through Discrepancy vulnerability in IBM I IBM i 7.2, 7.3, 7.4, and 7.5 Service Tools Server (SST) is vulnerable to SST user enumeration by a remote attacker. | 5.3 |
| 2024-06-06 | CVE-2024-5124 | Information Exposure Through Discrepancy vulnerability in Gaizhenbiao Chuanhuchatgpt A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. | 7.5 |
| 2024-02-21 | CVE-2022-45177 | Information Exposure Through Discrepancy vulnerability in Liveboxcloud Vdesk 018/031 An issue was discovered in LIVEBOX Collaboration vDesk through v031. | 7.5 |
| 2024-02-11 | CVE-2024-25714 | Information Exposure Through Discrepancy vulnerability in multiple products In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel attacks, because it stops the comparison when the first difference is spotted in the two signatures. | 9.8 |
| 2024-02-09 | CVE-2023-6935 | Information Exposure Through Discrepancy vulnerability in Wolfssl wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when built with the following options to configure: --enable-all CFLAGS="-DWOLFSSL_STATIC_RSA" The define “WOLFSSL_STATIC_RSA” enables static RSA cipher suites, which is not recommended, and has been disabled by default since wolfSSL 3.6.6. Therefore the default build since 3.6.6, even with "--enable-all", is not vulnerable to the Marvin Attack. | 5.9 |
| 2024-02-08 | CVE-2024-25189 | Information Exposure Through Discrepancy vulnerability in Bencollins JWT C Library 1.15.3 libjwt 1.15.3 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel. | 9.8 |
| 2024-02-08 | CVE-2024-25190 | Information Exposure Through Discrepancy vulnerability in Glitchedpolygons L8W8Jwt 2.2.1 l8w8jwt 2.2.1 uses memcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel. | 9.8 |
| 2024-02-08 | CVE-2024-25191 | Information Exposure Through Discrepancy vulnerability in Zihanggao PHP-Jwt 1.0.0 php-jwt 1.0.0 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel. | 9.8 |
| 2024-02-08 | CVE-2024-25146 | Information Exposure Through Discrepancy vulnerability in Liferay DXP and Liferay Portal Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. | 5.3 |