CWE-689: Permission Race Condition During Resource Copy
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.
常见后果
影响范围: Confidentiality Integrity
技术影响: Read Application Data Modify Application Data
观察示例
参考: CVE-2002-0760
Archive extractor decompresses files with world-readable permissions, then later sets permissions to what the archive specified.
参考: CVE-2005-2174
Product inserts a new object into database before setting the object's permissions, introducing a race condition.
参考: CVE-2006-5214
Error file has weak permissions before a chmod is performed.
参考: CVE-2005-2475
Archive permissions issue using hard link.
参考: CVE-2003-0265
Database product creates files world-writable before initializing the setuid bits, leading to modification of executables.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |