Description
The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the product. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.
Potential Impact
Integrity, Confidentiality, Other
Modify Application Data, Read Application Data, Alter Execution Logic
Demonstrative Examples
static void print (char * string) {
char * word;int counter;for (word = string; counter = *word++; ) {
putc(counter, stdout);fflush(stdout);
/* Make timing window a little larger... */
sleep(1);
}
}
int main(void) {
pid_t pid;
pid = fork();if (pid == -1) {exit(-2);}else if (pid == 0) {print("child\n");}else {print("PARENT\n");}exit(0);
}Related Weaknesses
Taxonomy Mappings
- The CERT Oracle Secure Coding Standard for Java (2011): LCK05-J — Synchronize access to static fields that can be modified by untrusted code
Frequently Asked Questions
What is CWE-820?
CWE-820 (Missing Synchronization) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
How can CWE-820 be exploited?
Attackers can exploit CWE-820 (Missing Synchronization) to modify application data, read application data, alter execution logic. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-820?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-820?
CWE-820 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.