CWE-421 Detail

CWE-421

Race Condition During Access to Alternate Channel
Draft
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Meldingen voor een CWE
Blijf op de hoogte van wijzigingen voor een specifieke CWE.
Meldingen beheren

Naam: Race Condition During Access to Alternate Channel

The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.

CWE-beschrijving

This creates a race condition that allows an attacker to access the channel before the authorized user does.

Algemene informatie

Introductiemodi

Architecture and Design

Toepasselijke platforms

Taal

Class: Not Language-Specific (Undetermined)

Veelvoorkomende gevolgen

Bereik Impact Waarschijnlijkheid
Access ControlGain Privileges or Assume Identity, Bypass Protection Mechanism

Waargenomen voorbeelden

Referenties Beschrijving

CVE-1999-0351

FTP "Pizza Thief" vulnerability. Attacker can connect to a port that was intended for use by another client.

CVE-2003-0230

Product creates Windows named pipe during authentication that another attacker can hijack by connecting to it.

Notities kwetsbaarheidsmapping

Rechtvaardiging : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Opmerking : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Referenties

REF-354

Discovering and Exploiting Named Pipe Security Flaws for Fun and Profit
Blake Watts.
https://www.blakewatts.com/blog/discovering-and-exploiting-named-pipe-security-flaws-for-fun-and-profit

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

Indiening

Naam Organisatie Datum Releasedatum Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Wijzigingen

Naam Organisatie Datum Opmerking
Eric Dalci Cigital 2008-07-01 +00:00 updated Potential_Mitigations, Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings, Type
CWE Content Team MITRE 2008-10-14 +00:00 updated Description
CWE Content Team MITRE 2009-01-12 +00:00 updated References
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated References, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-06-23 +00:00 updated Other_Notes
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated Functional_Areas
CWE Content Team MITRE 2025-12-11 +00:00 updated Weakness_Ordinalities
De informatie die op CVE Find wordt gepresenteerd, is afkomstig van verschillende zorgvuldig geselecteerde referentiebronnen. CVE-gegevens worden geleverd door MITRE Corporation en de National Vulnerability Database (NVD). De Known Exploited Vulnerabilities (KEV)-catalogus is afkomstig van de Cybersecurity and Infrastructure Security Agency (CISA), terwijl EPSS-scores afkomstig zijn van FIRST.org. Daarnaast worden gegevens over softwarezwakheden (CWE) en veelvoorkomende aanvalspatronen (CAPEC) bijgehouden door MITRE Corporation, en informatie over hardware- en softwareconfiguraties (CPE) wordt geleverd door de NVD.