CWE · MITRE source
CWE-204Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 13 mapping(s) from 3 framework(s): ATT&CK 8 (mostly) · CAPEC 4 (partial) · ASVS 5.0 1 (partial)
NIST 800-53 r5 controls that address this weakness (2)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-30 | Concealment and Misdirection | SC | Fake or randomized responses remove distinguishable success/failure signals attackers rely on. |
SI-11 | Error Handling | SI | Eliminates distinguishable response discrepancies in error conditions that could be exploited for reconnaissance. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2018-25350 UPD | 7.0 | 9.8 | 0.0043 | 2026-05-23 |
CVE-2022-41697 | 6.0 | 5.3 | 0.2020 | 2022-12-22 |
CVE-2021-34580 | 5.5 | 7.5 | 0.0100 | 2021-10-27 |
CVE-2021-20049 | 5.5 | 7.5 | 0.0135 | 2021-12-23 |
CVE-2025-5485 UPD | 5.5 | 8.6 | 0.0039 | 2025-06-12 |
CVE-2025-3092 UPD | 5.5 | 7.5 | 0.0041 | 2025-06-24 |
CVE-2025-46390 UPD | 5.5 | 7.5 | 0.0029 | 2025-08-06 |
CVE-2025-12455 | 5.5 | 7.5 | 0.0030 | 2026-03-13 |
CVE-2026-33419 | 5.5 | 7.5 | 0.0039 | 2026-03-24 |
CVE-2026-4113 | 5.5 | 7.2 | 0.0036 | 2026-04-09 |
CVE-2016-9499 | 3.5 | 5.3 | 0.0777 | 2018-07-13 |
CVE-2020-11063 | 3.5 | 3.7 | 0.0119 | 2020-05-13 |
CVE-2021-39189 | 3.5 | 5.3 | 0.0124 | 2021-09-15 |
CVE-2021-38476 | 3.5 | 6.5 | 0.0074 | 2021-10-19 |
CVE-2022-0564 | 3.5 | 5.3 | 0.0136 | 2022-02-21 |
CVE-2022-31248 | 3.5 | 5.3 | 0.0096 | 2022-06-22 |
CVE-2022-1989 | 3.5 | 5.3 | 0.0072 | 2022-08-23 |
CVE-2022-22520 | 3.5 | 5.3 | 0.0081 | 2022-09-14 |
CVE-2021-36201 | 3.5 | 4.3 | 0.0050 | 2022-10-11 |
CVE-2022-39315 | 3.5 | 6.5 | 0.0059 | 2022-10-25 |
CVE-2019-19030 | 3.5 | 5.3 | 0.0189 | 2022-12-26 |
CVE-2022-39228 | 3.5 | 5.3 | 0.0059 | 2023-03-01 |
CVE-2023-1540 | 3.5 | 5.3 | 0.0064 | 2023-03-21 |
CVE-2023-27464 | 3.5 | 5.3 | 0.0046 | 2023-04-11 |
CVE-2023-23449 | 3.5 | 5.3 | 0.0078 | 2023-05-15 |