CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Description
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-26 · CAPEC-29
CVEs mapped to this weakness (1,091)
page 35 of 55| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-45286 | 0.00 | — | 0.01 | Nov 28, 2023 | A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then… | |||
| CVE-2023-46132 | 0.00 | — | 0.01 | Nov 14, 2023 | Hyperledger Fabric is an open source permissioned distributed ledger framework. Combining two molecules to one another, called "cross-linking" results in a molecule with a chemical formula that is composed of all atoms of the original two molecules. In Fabric, one can take a… | |||
| CVE-2023-20902 | — | 0.00 | — | 0.00 | Nov 9, 2023 | A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to create jobs/stop job tasks and retrieve job task information. | ||
| CVE-2023-47111 | 0.00 | — | 0.01 | Nov 8, 2023 | ZITADEL provides identity infrastructure. ZITADEL provides administrators the possibility to define a `Lockout Policy` with a maximum amount of failed password check attempts. On every failed password check, the amount of failed checks is compared against the configured maximum.… | |||
| CVE-2023-33170 | — | 0.00 | — | 0.02 | Jul 11, 2023 | ASP.NET and Visual Studio Security Feature Bypass Vulnerability | ||
| CVE-2023-30543 | 0.00 | — | 0.00 | Apr 17, 2023 | @web3-react is a framework for building Ethereum Apps . In affected versions the `chainId` may be outdated if the user changes chains as part of the connection flow. This means that the value of `chainId` returned by `useWeb3React()` may be incorrect. In an application, this… | |||
| CVE-2022-48366 | — | 0.00 | — | 0.00 | Mar 12, 2023 | An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack. | ||
| CVE-2023-0739 | — | 0.00 | — | 0.01 | Feb 8, 2023 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in GitHub repository answerdev/answer prior to 1.0.4. | ||
| CVE-2023-22499 | 0.00 | — | 0.01 | Jan 17, 2023 | Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that program is waiting on user confirmation to unrelated action. A malicious program… | |||
| CVE-2022-46174 | 0.00 | — | 0.01 | Dec 28, 2022 | efs-utils is a set of Utilities for Amazon Elastic File System (EFS). A potential race condition issue exists within the Amazon EFS mount helper in efs-utils versions v1.34.3 and below. When using TLS to mount file systems, the mount helper allocates a local port for stunnel to… | |||
| CVE-2022-2583 | — | 0.00 | — | 0.00 | Dec 27, 2022 | A race condition can cause incorrect HTTP request routing. | ||
| CVE-2022-39328 | 0.00 | — | 0.01 | Nov 8, 2022 | Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load.… | |||
| CVE-2021-43980 | — | 0.00 | — | 0.02 | Sep 28, 2022 | The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and… | ||
| CVE-2022-38170 | 0.00 | — | 0.01 | Sep 2, 2022 | In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary… | |||
| CVE-2021-3702 | — | 0.00 | — | 0.00 | Aug 23, 2022 | A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made use of… | ||
| CVE-2022-24800 | 0.00 | — | 0.01 | Jul 12, 2022 | October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user… | |||
| CVE-2022-31015 | — | 0.00 | — | 0.01 | May 31, 2022 | Waitress is a Web Server Gateway Interface server for Python 2 and 3. Waitress versions 2.1.0 and 2.1.1 may terminate early due to a thread closing a socket while the main thread is about to call select(). This will lead to the main thread raising an exception that is not… | ||
| CVE-2021-3597 | — | 0.00 | — | 0.01 | May 24, 2022 | A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to… | ||
| CVE-2022-24302 | 0.00 | — | 0.02 | Mar 17, 2022 | In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure. | |||
| CVE-2022-23639 | 0.00 | — | 0.01 | Feb 15, 2022 | crossbeam-utils provides atomics, synchronization primitives, scoped threads, and other utilities for concurrent programming in Rust. crossbeam-utils prior to version 0.8.7 incorrectly assumed that the alignment of `{i,u}64` was always the same as `Atomic{I,U}64`. However, the… |
- CVE-2023-45286Nov 28, 2023risk 0.00cvss —epss 0.01
A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then…
- CVE-2023-46132Nov 14, 2023risk 0.00cvss —epss 0.01
Hyperledger Fabric is an open source permissioned distributed ledger framework. Combining two molecules to one another, called "cross-linking" results in a molecule with a chemical formula that is composed of all atoms of the original two molecules. In Fabric, one can take a…
- CVE-2023-20902Nov 9, 2023risk 0.00cvss —epss 0.00
A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to create jobs/stop job tasks and retrieve job task information.
- CVE-2023-47111Nov 8, 2023risk 0.00cvss —epss 0.01
ZITADEL provides identity infrastructure. ZITADEL provides administrators the possibility to define a `Lockout Policy` with a maximum amount of failed password check attempts. On every failed password check, the amount of failed checks is compared against the configured maximum.…
- CVE-2023-33170Jul 11, 2023risk 0.00cvss —epss 0.02
ASP.NET and Visual Studio Security Feature Bypass Vulnerability
- CVE-2023-30543Apr 17, 2023risk 0.00cvss —epss 0.00
@web3-react is a framework for building Ethereum Apps . In affected versions the `chainId` may be outdated if the user changes chains as part of the connection flow. This means that the value of `chainId` returned by `useWeb3React()` may be incorrect. In an application, this…
- CVE-2022-48366Mar 12, 2023risk 0.00cvss —epss 0.00
An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack.
- CVE-2023-0739Feb 8, 2023risk 0.00cvss —epss 0.01
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in GitHub repository answerdev/answer prior to 1.0.4.
- CVE-2023-22499Jan 17, 2023risk 0.00cvss —epss 0.01
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that program is waiting on user confirmation to unrelated action. A malicious program…
- CVE-2022-46174Dec 28, 2022risk 0.00cvss —epss 0.01
efs-utils is a set of Utilities for Amazon Elastic File System (EFS). A potential race condition issue exists within the Amazon EFS mount helper in efs-utils versions v1.34.3 and below. When using TLS to mount file systems, the mount helper allocates a local port for stunnel to…
- CVE-2022-2583Dec 27, 2022risk 0.00cvss —epss 0.00
A race condition can cause incorrect HTTP request routing.
- CVE-2022-39328Nov 8, 2022risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load.…
- CVE-2021-43980Sep 28, 2022risk 0.00cvss —epss 0.02
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and…
- CVE-2022-38170Sep 2, 2022risk 0.00cvss —epss 0.01
In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary…
- CVE-2021-3702Aug 23, 2022risk 0.00cvss —epss 0.00
A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made use of…
- CVE-2022-24800Jul 12, 2022risk 0.00cvss —epss 0.01
October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user…
- CVE-2022-31015May 31, 2022risk 0.00cvss —epss 0.01
Waitress is a Web Server Gateway Interface server for Python 2 and 3. Waitress versions 2.1.0 and 2.1.1 may terminate early due to a thread closing a socket while the main thread is about to call select(). This will lead to the main thread raising an exception that is not…
- CVE-2021-3597May 24, 2022risk 0.00cvss —epss 0.01
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to…
- CVE-2022-24302Mar 17, 2022risk 0.00cvss —epss 0.02
In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.
- CVE-2022-23639Feb 15, 2022risk 0.00cvss —epss 0.01
crossbeam-utils provides atomics, synchronization primitives, scoped threads, and other utilities for concurrent programming in Rust. crossbeam-utils prior to version 0.8.7 incorrectly assumed that the alignment of `{i,u}64` was always the same as `Atomic{I,U}64`. However, the…