目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-412 未加限制的外部可访问锁 类漏洞列表 4

CWE-412 未加限制的外部可访问锁 类弱点 4 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-412 属于外部可访问锁漏洞。当程序虽检查锁状态,但锁本身受非预期外部实体控制时,攻击者可利用此缺陷干扰资源访问或阻断正常行为,导致服务拒绝或逻辑混乱。开发者应避免将关键锁状态暴露给不可信输入,确保锁机制仅由受控内部逻辑管理,并严格限制外部对共享资源锁定状态的修改权限,以维持系统完整性。

MITRE CWE 官方描述
CWE:CWE-412 Unrestricted Externally Accessible Lock(不受限制的外部可访问锁) 英文:该产品正确检查了锁(lock)的存在性,但该锁(lock)可以被预期控制范围之外的行为者(actor)外部控制或影响。 这导致该产品无法对关联资源执行操作,或无法执行由锁(lock)存在性所控制的其他行为。相关的锁(lock)可能包括独占锁(exclusive lock)或互斥锁(mutex),或者修改被视为锁(lock)的共享资源。如果锁(lock)可以被无限期持有,则拒绝服务(denial of service)可能是永久性的。
常见影响 (1)
AvailabilityDoS: Resource Consumption (Other)
When an attacker can control a lock, the program may wait indefinitely until the attacker releases the lock, causing a denial of service to other users of the program. This is especially problematic if there is a blocking operation on the lock.
缓解措施 (3)
Architecture and Design, ImplementationUse any access control that is offered by the functionality that is offering the lock.
Architecture and Design, ImplementationUse unpredictable names or identifiers for the locks. This might not always be possible or feasible.
Architecture and DesignConsider modifying your code to use non-blocking synchronization methods.
代码示例 (1)
This code tries to obtain a lock for a file, then writes to it.
function writeToLog($message){ $logfile = fopen("logFile.log", "a"); //attempt to get logfile lock if (flock($logfile, LOCK_EX)) { fwrite($logfile,$message); // unlock logfile flock($logfile, LOCK_UN); } else { print "Could not obtain lock on logFile.log, message not recorded\n"; } } fclose($logFile);
Bad · PHP
CVE ID标题CVSS风险等级Published
CVE-2026-25612 MongoDB Server 安全漏洞 — MongoDB Server 6.5 Medium2026-02-10
CVE-2023-22318 Checkmk 安全漏洞 — Checkmk Appliance 7.5 High2023-05-15
CVE-2019-11485 Apport 安全漏洞 — apport 3.3 Low2020-02-08
CVE-2019-18269 Omron PLC CJ series安全漏洞 — Omron PLC CJ Series 9.8 -2019-12-16

CWE-412(未加限制的外部可访问锁) 是常见的弱点类别,本平台收录该类弱点关联的 4 条 CVE 漏洞。