CWE-412: Unrestricted Externally Accessible Lock

BaseIncomplete

The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.

View on MITRE
Back to CWE Lookup

Extended Description

This prevents the product from acting on associated resources or performing other behaviors that are controlled by the presence of the lock. Relevant locks might include an exclusive lock or mutex, or modifying a shared resource that is treated as a lock. If the lock can be held for an indefinite period of time, then the denial of service could be permanent.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-412: Unrestricted Externally Accessible Lock?+

CWE-412: Unrestricted Externally Accessible Lock is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control. This prevents the product from acting on associated resources or performing other behaviors that are controlled by the presence of the lock. Relevant locks might include an exclusive lock or mutex, or modifying a shared resource that is treated as a lock. If the lock can be held for an indefinite period of time, then the denial of service could be permanent.

What are the security consequences of Unrestricted Externally Accessible Lock?+

If exploited, CWE-412 (Unrestricted Externally Accessible Lock) it can compromise Availability, leading to outcomes such as DoS: Resource Consumption (Other).

How do you prevent or mitigate Unrestricted Externally Accessible Lock?+

Recommended mitigations for CWE-412 include: Use any access control that is offered by the functionality that is offering the lock. Use unpredictable names or identifiers for the locks. This might not always be possible or feasible. Consider modifying your code to use non-blocking synchronization methods.

How is Unrestricted Externally Accessible Lock detected?+

CWE-412 can be detected using White Box. Combining automated tooling with manual review typically yields the best coverage.

Which programming languages are affected by Unrestricted Externally Accessible Lock?+

CWE-412 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Unrestricted Externally Accessible Lock?+

MITRE documents real CVEs mapped to CWE-412, including CVE-2001-0682, CVE-2002-1914, CVE-2002-1915, CVE-2002-0051 and CVE-2000-0338. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-412 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More

CWE-412: Unrestricted Externally Accessible Lock | CWE Lookup | InventiveHQ