CWE-205

Observable Behavioral Discrepancy

BaseIncompleteSimple2 CVEs

The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality.

Extended description

Ideally, a product should provide as little information about its internal operations as possible. Otherwise, attackers could use knowledge of these internal operations to simplify or optimize their attack. In some cases, behavioral discrepancies can be used by attackers to form a side channel.

Common consequences1

ConfidentialityAccess ControlRead Application DataBypass Protection Mechanism

Relationships2

ChildOfCWE-203
CanPrecedeCWE-514

CVEs referencing this CWE2

CVE	Description	Severity	EPSS	Flags	Modified
CVE-2017-11155	An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors.	NONE	45%p99	Functional	2026-05-13
CVE-2024-6129	A vulnerability, which was classified as problematic, was found in spa-cartcms 1.9.0.6. Affected is an unknown function of the file /login of the component Username Handler. The manipulation of the argument email leads to observable behavioral discrepancy. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268896.	LOW3.7	0.61%p44		2024-11-21