Description
A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
CWE-706
CWE-367
CWE-610
CWE-486
Consequences
Access Control: Gain Privileges or Assume Identity
The attacker can gain access to otherwise unauthorized resources.
Integrity, Confidentiality, Other: Modify Application Data, Modify Files or Directories, Read Application Data, Read Files or Directories, Other
Race conditions such as this kind may be employed to gain read or write access to resources not normally readable or writable by the user in question.
Integrity, Other: Modify Application Data, Other
The resource in question, or other resources (through the corrupted one) may be changed in undesirable ways by a malicious user.
Non-Repudiation: Hide Activities
If a file or other resource is written in this method, as opposed to a valid way, logging of the activity may not occur.
Non-Repudiation, Integrity: Modify Files or Directories
In some cases it may be possible to delete files that a malicious user might not otherwise have access to — such as log files.
Potential Mitigations
CVE References
More Stories
The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them
Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java...
ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows
Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access...
CWE-669 – Incorrect Resource Transfer Between Spheres
Description The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere,...
CWE-67 – Improper Handling of Windows Device Names
Description The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a...
CWE-670 – Always-Incorrect Control Flow Implementation
Description The code contains a control flow path that does not reflect the algorithm that the path is intended to...
CWE-671 – Lack of Administrator Control over Security
Description The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect...