logo

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Medium

  • Abstraction:
  • Base
  • Structure:
  • Simple
  • Status:
  • Incomplete
Weakness Name

Time-of-check Time-of-use (TOCTOU) Race Condition

Description

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

This weakness can be security-relevant when an attacker can influence the state of the resource between check and use. This can happen with shared resources such as files, memory, or even variables in multithreaded programs.

Common Consequences

Scope: Integrity, Other

Impact: Alter Execution Logic, Unexpected State

Notes: The attacker can gain access to otherwise unauthorized resources.

Scope: Integrity, Other

Impact: Modify Application Data, Modify Files or Directories, Modify Memory, Other

Notes: Race conditions such as this kind may be employed to gain read or write access to resources which are not normally readable or writable by the user in question.

Scope: Integrity, Other

Impact: Other

Notes: The resource in question, or other resources (through the corrupted one), may be changed in undesirable ways by a malicious user.

Scope: Non-Repudiation

Impact: Hide Activities

Notes: If a file or other resource is written in this method, as opposed to in a valid way, logging of the activity may not occur.

Scope: Non-Repudiation, Other

Impact: Other

Notes: In some cases it may be possible to delete files a malicious user might not otherwise have access to, such as log files.

Related Weaknesses
  • Release Date:
  • 2006-07-19
  • Latest Modification Date:
  • 2023-06-29

Free online web security scanner