The product uses the singleton pattern when creating a resource within a multithreaded environment.
View on MITREThe use of a singleton pattern may not be thread-safe.
Use the Thread-Specific Storage Pattern. See References.
Do not use member fields to store information in the Servlet. In multithreading environments, storing user data in Servlet member fields introduces a data access race condition.
Avoid using the double-checked locking pattern in language versions that cannot guarantee thread safety. This pattern may be used to avoid the overhead of a synchronized call, but in certain versions of Java (for example), this has been shown to be unsafe because it still introduces a race condition (CWE-209).
No detection method information available for this CWE.
This method is part of a singleton pattern, yet the following singleton() pattern is not thread-safe. It is possible that the method will create two objects instead of only one.
Consider the following course of events:
No relationship information available for this CWE.
CWE-543: Use of Singleton Pattern Without Synchronization in a Multithreaded Context is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses the singleton pattern when creating a resource within a multithreaded environment. The use of a singleton pattern may not be thread-safe.
If exploited, CWE-543 (Use of Singleton Pattern Without Synchronization in a Multithreaded Context) it can compromise Other and Integrity, leading to outcomes such as Other and Modify Application Data.
Recommended mitigations for CWE-543 include: Use the Thread-Specific Storage Pattern. See References. Do not use member fields to store information in the Servlet. In multithreading environments, storing user data in Servlet member fields introduces a data access race condition. Avoid using the double-checked locking pattern in language versions that cannot guarantee thread safety. This pattern may be used to avoid the overhead of a synchronized call, but in certain versions of Java (for example), this has been shown to be unsafe because it still introduces a race condition (CWE-209).
CWE-543 commonly affects Java and C++. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-543 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.