CWE-363: Race Condition Enabling Link Following
The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.
View on MITREExtended Description
While developers might expect that there is a very narrow time window between the time of check and time of use, there is still a race condition. An attacker could cause the product to slow down (e.g. with memory consumption), causing the time window to become larger. Alternately, in some situations, the attacker could win the race by performing a large number of attacks.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
This code prints the contents of a file if a user has permission.
This code attempts to resolve symbolic links before checking the file and printing its contents. However, an attacker may be able to change the file from a real file to a symbolic link between the calls to is_link() and file_get_contents(), allowing the reading of arbitrary files. Note that this code fails to log the attempted access (CWE-778).
CWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-363: Race Condition Enabling Link Following?+
CWE-363: Race Condition Enabling Link Following is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file. While developers might expect that there is a very narrow time window between the time of check and time of use, there is still a race condition. An attacker could cause the product to slow down (e.g. with memory consumption), causing the time window to become larger. Alternately, in some situations, the attacker could win the race by performing a large number of attacks.
What are the security consequences of Race Condition Enabling Link Following?+
If exploited, CWE-363 (Race Condition Enabling Link Following) it can compromise Confidentiality and Integrity, leading to outcomes such as Read Files or Directories and Modify Files or Directories.
Which programming languages are affected by Race Condition Enabling Link Following?+
CWE-363 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-363 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.