The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
View on MITRENo mitigation information available for this CWE.
No detection method information available for this CWE.
The following code checks validity of the supplied username and password and notifies the user of a successful or failed login.
In the above code, there are different messages for when an incorrect username is supplied, versus when the username is correct but the password is wrong. This difference enables a potential attacker to understand the state of the login function, and could allow an attacker to discover a valid username by trying different values until the incorrect password message is returned. In essence, this makes it easier for an attacker to obtain half of the necessary authentication credentials.
This, and others, use ".." attacks and monitor error responses, so there is overlap with directory traversal.
View DetailsBulletin Board displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack.
View DetailsOperating System, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods.
View DetailsProduct allows remote attackers to determine if a port is being filtered because the response packet TTL is different than the default TTL.
View DetailsProduct sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs.
View DetailsProduct may generate different responses than specified by the administrator, possibly leading to an information leak.
View DetailsVersion control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned.
View DetailsFTP server generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames.
View DetailsNo relationship information available for this CWE.
CWE-204: Observable Response Discrepancy is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
If exploited, CWE-204 (Observable Response Discrepancy) it can compromise Confidentiality and Access Control, leading to outcomes such as Read Application Data and Bypass Protection Mechanism.
CWE-204 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-204, including CVE-2002-2094, CVE-2001-1483, CVE-2001-1528, CVE-2004-2150 and CVE-2005-1650. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-204 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.