VYPR

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

BaseIncompleteLikelihood: Medium

Description

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-27 · CAPEC-29

CVEs mapped to this weakness (249)

page 13 of 13
  • CVE-2022-23181Jan 27, 2022
    risk 0.00cvss epss 0.01

    The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the…

  • CVE-2021-32708Jun 24, 2021
    risk 0.00cvss epss 0.03

    Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is…

  • CVE-2021-30465May 27, 2021
    risk 0.00cvss epss 0.07

    runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on…

  • CVE-2021-21615Jan 26, 2021
    risk 0.00cvss epss 0.01

    Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.

  • CVE-2020-35889Dec 31, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in the crayon crate through 2020-08-31 for Rust. A TOCTOU issue has a resultant memory safety violation via HandleLike.

  • CVE-2017-18869Jun 15, 2020
    risk 0.00cvss epss 0.00

    A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.

  • CVE-2020-8867Apr 22, 2020
    risk 0.00cvss epss 0.03

    This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard 1.04.358.30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of sessions.…

  • CVE-2019-15608Mar 15, 2020
    risk 0.00cvss epss 0.02

    The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.

  • CVE-2019-5421Apr 3, 2019
    risk 0.00cvss epss 0.02

    Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in…