CWE-208: Observable Timing Discrepancy

BaseIncomplete

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

View on MITRE
Back to CWE Lookup

Extended Description

In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product's internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-208: Observable Timing Discrepancy?+

CWE-208: Observable Timing Discrepancy is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product's internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel.

What are the security consequences of Observable Timing Discrepancy?+

If exploited, CWE-208 (Observable Timing Discrepancy) it can compromise Confidentiality and Access Control, leading to outcomes such as Read Application Data and Bypass Protection Mechanism.

Which programming languages are affected by Observable Timing Discrepancy?+

CWE-208 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Observable Timing Discrepancy?+

MITRE documents real CVEs mapped to CWE-208, including CVE-2019-10071, CVE-2019-10482, CVE-2014-0984, CVE-2003-0078 and CVE-2000-1117. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-208 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More