1. Home
  2. CWE Database
  3. CWE-675
Class · High

CWE-675: Multiple Operations on Resource in Single-Operation Context

The product performs the same operation on a resource two or more times, when the operation should only be applied once.

CWE-675 · Class Level ·3 CVEs

Description

The product performs the same operation on a resource two or more times, when the operation should only be applied once.

Potential Impact

Other

Other

Demonstrative Examples

The following code shows a simple example of a double free vulnerability.
Bad
char* ptr = (char*)malloc (SIZE);...if (abrt) {free(ptr);}...free(ptr);
Double free vulnerabilities have two common (and sometimes overlapping) causes:
Although some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.
This code binds a server socket to port 21, allowing the server to listen for traffic on that port.
Bad
void bind_socket(void) {
               
                 int server_sockfd;int server_len;struct sockaddr_in server_address;
                 
                 /*unlink the socket if already bound to avoid an error when bind() is called*/
                 
                 unlink("server_socket");server_sockfd = socket(AF_INET, SOCK_STREAM, 0);
                 server_address.sin_family = AF_INET;server_address.sin_port = 21;server_address.sin_addr.s_addr = htonl(INADDR_ANY);server_len = sizeof(struct sockaddr_in);
               bind(server_sockfd, (struct sockaddr *) &s1, server_len);
               }
This code may result in two servers binding a socket to same port, thus receiving each other's traffic. This could be used by an attacker to steal packets meant for another process, such as a secure FTP server.

Real-World CVE Examples

CVE IDDescription
CVE-2009-0935Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice
CVE-2019-13351file descriptor double close can cause the wrong file to be associated with a file descriptor.
CVE-2004-1939XSS protection mechanism attempts to remove "/" that could be used to close tags, but it can be bypassed using double encoded slashes (%252F)

CWE-573: Improper Following of Specification by Caller

The product does not follow or incorrectly follows the specifications as required by the implementation language, enviro...

CWE-586: Explicit Call to Finalize()

The product makes an explicit call to the finalize() method from outside the finalizer.

CWE-102: Struts: Duplicate Validation Forms

The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form...

Frequently Asked Questions

What is CWE-675?

CWE-675 (Multiple Operations on Resource in Single-Operation Context) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product performs the same operation on a resource two or more times, when the operation should only be applied once.

How can CWE-675 be exploited?

Attackers can exploit CWE-675 (Multiple Operations on Resource in Single-Operation Context) to other. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-675?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-675?

CWE-675 is classified as a Class-level weakness (High abstraction). It has been observed in 3 real-world CVEs.