目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-362 使用共享资源的并发执行不恰当同步问题(竞争条件) 类漏洞列表 422

CWE-362 使用共享资源的并发执行不恰当同步问题(竞争条件) 类弱点 422 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-362 属于并发执行漏洞,指代码序列在需要独占访问共享资源时,因缺乏同步机制导致存在时间窗口,使其他并发序列能修改该资源。攻击者通常利用此竞态条件,通过精心构造并发请求篡改数据或绕过安全检查,从而引发逻辑错误或权限提升。开发者应避免此类问题,确保对共享资源的访问具备原子性,通过加锁、事务或原子操作等同步机制消除竞争窗口,保障数据一致性。

MITRE CWE 官方描述
CWE:CWE-362 并发执行时使用共享资源且同步不当(竞态条件,Race Condition) 该产品包含一个并发代码序列,该序列需要临时独占访问共享资源,但存在一个时间窗口,在此期间,另一个并发运行的代码序列可以修改该共享资源。 竞态条件发生在并发环境中,它本质上是代码序列的一种属性。根据上下文的不同,代码序列可能表现为函数调用、少量指令、一系列程序调用等形式。竞态条件违反了以下密切相关属性:独占性(Exclusivity)——代码序列被赋予对共享资源的独占访问权限,即在原始序列完成执行之前,没有其他代码序列可以修改共享资源的属性。原子性(Atomicity)——代码序列在行为上是原子的,即没有其他线程或进程可以针对同一资源并发执行相同的指令序列(或其子集)。当“干扰代码序列”(interfering code sequence)仍能访问共享资源时,便存在竞态条件,从而违反了独占性。干扰代码序列可以是“可信的”(trusted)或“不可信的”(untrusted)。可信的干扰代码序列存在于产品内部;攻击者无法对其进行修改,且只能通过间接方式调用。不可信的干扰代码序列可由攻击者直接编写,通常位于易受攻击的产品外部。
常见影响 (4)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
When a race condition makes it possible to bypass a resource cleanup routine or trigger multiple initialization routines, it may lead to resource exhaustion.
AvailabilityDoS: Crash, Exit, or Restart, DoS: Instability
When a race condition allows multiple control flows to access a resource simultaneously, it might lead the product(s) into unexpected states, possibly resulting in a crash.
Confidentiality, IntegrityRead Files or Directories, Read Application Data
When a race condition is combined with predictable resource names and loose permissions, it may be possible for an attacker to overwrite or access confidential data (CWE-59).
Access ControlExecute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Bypass Protection Mechanism
This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider.
缓解措施 (5)
Architecture and DesignIn languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
Architecture and DesignUse thread-safe capabilities such as the data access abstraction in Spring.
Architecture and DesignMinimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring. Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
ImplementationWhen using multithreading and operating on shared variables, only use thread-safe functions.
ImplementationUse atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
代码示例 (2)
This code could be used in an e-commerce application that supports transfers between accounts. It takes the total amount of the transfer, sends it to the new account, and deducts the amount from the original account.
$transfer_amount = GetTransferAmount(); $balance = GetBalanceFromDatabase(); if ($transfer_amount < 0) { FatalError("Bad Transfer Amount"); } $newbalance = $balance - $transfer_amount; if (($balance - $transfer_amount) < 0) { FatalError("Insufficient Funds"); } SendNewBalanceToDatabase($newbalance); NotifyUser("Transfer of $transfer_amount succeeded."); NotifyUser("New balance: $newbalance");
Bad · Perl
In the following pseudocode, the attacker makes two simultaneous calls of the program, CALLER-1 and CALLER-2. Both callers are for the same user account. CALLER-1 (the attacker) is associated with PROGRAM-1 (the instance that handles CALLER-1). CALLER-2 is associated with PROGRAM-2. CALLER-1 makes a transfer request of 80.00. PROGRAM-1 calls GetBalanceFromDatabase and sets $balance to 100.00 PROGRAM-1 calculates $newbalance as 20.00, then calls SendNewBalanceToDatabase(). Due to high server load, the PROGRAM-1 call to SendNewBalanceToDatabase() encounters a delay. CALLER-2 makes a transfer req
Attack · Other
The following function attempts to acquire a lock in order to perform operations on a shared resource.
void f(pthread_mutex_t *mutex) { pthread_mutex_lock(mutex); /* access shared resource */ pthread_mutex_unlock(mutex); }
Bad · C
int f(pthread_mutex_t *mutex) { int result; result = pthread_mutex_lock(mutex); if (0 != result) return result; /* access shared resource */ return pthread_mutex_unlock(mutex); }
Good · C
CVE ID标题CVSS风险等级Published
CVE-2025-46613 OpenPLC 竞争条件问题漏洞 — OpenPLC 7.5 High2025-04-25
CVE-2024-58248 nopCommerce 安全漏洞 — nopCommerce 3.5 Low2025-04-16
CVE-2025-27492 Microsoft Windows Secure Channel 资源管理错误漏洞 — Windows 11 version 22H2 7.0 High2025-04-08
CVE-2025-26649 Microsoft Windows Secure Channel 资源管理错误漏洞 — Windows 11 version 22H2 7.0 High2025-04-08
CVE-2025-24808 Discourse 安全漏洞 — discourse 4.3 Medium2025-03-26
CVE-2024-7598 Kubernetes 安全漏洞 — kube-apiserver 3.1 Low2025-03-20
CVE-2025-30235 Shearwater SecurEnvoy SecurAccess Enrol 安全漏洞 — SecurAccess 3.5 Low2025-03-19
CVE-2024-58048 Huawei HarmonyOS 竞争条件问题漏洞 — HarmonyOS 6.7 Medium2025-03-04
CVE-2024-58045 Huawei HarmonyOS 竞争条件问题漏洞 — HarmonyOS 8.6 High2025-03-04
CVE-2025-1801 Red Hat Ansible 竞争条件问题漏洞 8.1 High2025-03-03
CVE-2025-20119 Cisco APIC 竞争条件问题漏洞 — Cisco Application Policy Infrastructure Controller (APIC) 6.0 Medium2025-02-26
CVE-2025-21376 Microsoft Lightweight Directory Access Protocol 安全漏洞 — Windows 10 Version 1507 8.1 High2025-02-11
CVE-2025-0439 Google Chrome 安全漏洞 — Chrome 3.1 -2025-01-15
CVE-2025-21101 Dell Display Manager 竞争条件问题漏洞 — Dell Display Manager 6.6 Medium2025-01-15
CVE-2025-21278 Microsoft Windows Remote Desktop Services 竞争条件问题漏洞 — Windows 10 Version 1507 6.2 Medium2025-01-14
CVE-2024-12747 Rsync 竞争条件问题漏洞 5.6 Medium2025-01-14
CVE-2024-54120 Huawei HarmonyOS 竞争条件问题漏洞 — HarmonyOS 4.1 Medium2025-01-08
CVE-2024-56441 Huawei HarmonyOS 竞争条件问题漏洞 — HarmonyOS 4.1 Medium2025-01-08
CVE-2024-52906 IBM AIX 竞争条件问题漏洞 — AIX 5.5 Medium2024-12-25
CVE-2024-11144 LightFTP 安全漏洞 — LightFTP 7.5 High2024-12-16
CVE-2024-48872 Mattermost 安全漏洞 — Mattermost 4.8 Medium2024-12-16
CVE-2024-54122 Huawei HarmonyOS 安全漏洞 — HarmonyOS 6.2 Medium2024-12-12
CVE-2024-54102 HUAWEI HarmonyOS 安全漏洞 — HarmonyOS 6.1 Medium2024-12-12
CVE-2024-49124 Microsoft Lightweight Directory Access Protocol 竞争条件问题漏洞 — Windows 10 Version 1809 8.1 High2024-12-10
CVE-2024-49084 Microsoft Windows Kernel 竞争条件问题漏洞 — Windows 10 Version 1809 7.0 High2024-12-10
CVE-2024-49353 IBM Cloud Pak for Data 安全漏洞 — Watson Speech Services Cartridge for IBM Cloud Pak for Data 7.5 High2024-11-26
CVE-2024-50313 Siemens Mendix Runtime 竞争条件问题漏洞 — Mendix Runtime V10 5.3 Medium2024-11-12
CVE-2024-51515 Huawei HarmonyOS 安全漏洞 — HarmonyOS 6.2 Medium2024-11-05
CVE-2024-47827 Argo Workflows 安全漏洞 — argo-workflows 5.7 Medium2024-10-28
CVE-2024-47870 Gradio 竞争条件问题漏洞 — gradio 5.8AIMediumAI2024-10-10

CWE-362(使用共享资源的并发执行不恰当同步问题(竞争条件)) 是常见的弱点类别,本平台收录该类弱点关联的 422 条 CVE 漏洞。