CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-367 Medium
- Abstraction:
- Base
- Structure:
- Simple
- Status:
- Incomplete
- Weakness Name
Time-of-check Time-of-use (TOCTOU) Race Condition
- Description
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.
This weakness can be security-relevant when an attacker can influence the state of the resource between check and use. This can happen with shared resources such as files, memory, or even variables in multithreaded programs.
- Common Consequences
Scope: Integrity, Other
Impact: Alter Execution Logic, Unexpected State
Notes: The attacker can gain access to otherwise unauthorized resources.
Scope: Integrity, Other
Impact: Modify Application Data, Modify Files or Directories, Modify Memory, Other
Notes: Race conditions such as this kind may be employed to gain read or write access to resources which are not normally readable or writable by the user in question.
Scope: Integrity, Other
Impact: Other
Notes: The resource in question, or other resources (through the corrupted one), may be changed in undesirable ways by a malicious user.
Scope: Non-Repudiation
Impact: Hide Activities
Notes: If a file or other resource is written in this method, as opposed to in a valid way, logging of the activity may not occur.
Scope: Non-Repudiation, Other
Impact: Other
Notes: In some cases it may be possible to delete files a malicious user might not otherwise have access to, such as log files.
- Related Weaknesses
- Release Date:
- 2006-07-19
- Latest Modification Date:
- 2023-06-29
Free security scan for your website