CWE-208(Observable Timing Discrepancy)は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | — | Not Technology-Specific | Undetermined | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2026-54411 | 2026-06-14 | Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or netw… |
| CVE-2017-20240 | 2026-06-12 | Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. These versions use Perl's built-in eq comparison. Discrepancies in timing could be used to guess the underlying deriv… |
| CVE-2026-48011 | 2026-06-10 | Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18… |
| CVE-2026-48859 | 2026-06-10 | Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication. Wh… |
| CVE-2026-5419 | 2026-06-01 | A flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive informati… |
| CVE-2026-45410 | 2026-05-28 | TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an em… |
| CVE-2026-5091 | 2026-05-21 | Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess … |
| CVE-2026-44061 | 2026-05-21 | Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which allows a remote attacker to recover authentication credentials via timing analysis. |
| CVE-2026-47373 | 2026-05-20 | Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash… |
| CVE-2026-47784 | 2026-05-20 | In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass. |
| CVE-2026-47783 | 2026-05-20 | In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass.… |
| CVE-2026-44368 | 2026-05-13 | PyQuorum is a cryptographic library for secret sharing and key management. Prior to 0.2.1, the mul_mod function implements multiplication via a binary expansion loop whose execution time depends on th… |
| CVE-2026-42602 | 2026-05-13 | azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token… |
| CVE-2026-43514 | 2026-05-12 | Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1… |
| CVE-2026-41588 | 2026-05-08 | RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py — check_sign_in_key(). This issue has been patched via commit 2f68e16. |
| CVE-2026-41161 | 2026-05-08 | Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthent… |
| CVE-2026-33006 | 2026-05-04 | A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes thi… |
| CVE-2026-41263 | 2026-04-30 | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an att… |
| CVE-2026-41407 | 2026-04-28 | OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers… |
| CVE-2026-40972 | 2026-04-28 | An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the atta… |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings |
| 2008-10-14 | CWE Content Team | 1.0.1 | — | updated Description |
| 2010-09-27 | CWE Content Team | 1.10 | — | updated Relationships |
| 2011-03-29 | CWE Content Team | 1.12 | — | updated Name |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Observed_Examples, Relationships |
| 2014-06-23 | CWE Content Team | 2.7 | — | updated Other_Notes, Related_Attack_Patterns |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships |
| 2017-05-03 | CWE Content Team | 2.11 | — | updated Related_Attack_Patterns |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Modes_of_Introduction, Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Description, Name, Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Related_Attack_Patterns |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Observed_Examples, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2023-10-26 | CWE Content Team | 4.13 | — | updated Demonstrative_Examples, Observed_Examples |
| 2024-02-29 | CWE Content Team | 4.14 | — | updated Demonstrative_Examples |
| 2024-11-19 | CWE Content Team | 4.16 | — | updated Maintenance_Notes |
| 2025-04-03 | CWE Content Team | 4.17 | — | updated Demonstrative_Examples |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Weakness_Ordinalities |