CWE-363: Race Condition Enabling Link Following
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.
扩展描述
While developers might expect that there is a very narrow time window between the time of check and time of use, there is still a race condition. An attacker could cause the product to slow down (e.g. with memory consumption), causing the time window to become larger. Alternately, in some situations, the attacker could win the race by performing a large number of attacks.
常见后果
影响范围: Confidentiality Integrity
技术影响: Read Files or Directories Modify Files or Directories
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Race condition enabling link following | - |
| CERT C Secure Coding | POS35-C | Avoid race conditions while checking for the existence of a symbolic link | Exact |
| Software Fault Patterns | SFP20 | Race Condition Window | - |