CWE-208: Information Exposure Through Timing Discrepancy
Information Exposure Through Timing Discrepancy
Weakness ID: 208 (Weakness Base)
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
SSL implementation does not perform a MAC
computation if an incorrect block cipher padding is used, which causes an
information leak (timing discrepancy) that may make it easier to launch
cryptographic attacks that rely on distinguishing between padding and MAC
verification errors, possibly leading to extraction of the original
plaintext, aka the "Vaudenay timing attack."
Browser allows remote attackers to determine the
existence of arbitrary files by setting the src property to the target
loading, which indicates whether the file exists or not.