The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.
View on MITREThe getlogin() function returns a pointer to a string that contains the name of the user associated with the calling process. The function is not reentrant, meaning that if it is called from another process, the contents are not locked out and the value of the string can be changed by another process. This makes it very risky to use because the username can be changed by other processes, so the results of the function cannot be trusted.
Using names for security purposes is not advised. Names are easy to forge and can have overlapping user IDs, potentially causing confusion or impersonation.
Use getlogin_r() instead, which is reentrant, meaning that other processes are locked out from changing the username.
No detection method information available for this CWE.
The following code relies on getlogin() to determine whether or not a user is trusted. It is easily subverted.
No relationship information available for this CWE.
CWE-558: Use of getlogin() in Multithreaded Application is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values. The getlogin() function returns a pointer to a string that contains the name of the user associated with the calling process. The function is not reentrant, meaning that if it is called from another process, the contents are not locked out and the value of the string can be changed by another process. This makes it very risky to use because the username can be changed by other processes, so the results of the function cannot be trusted.
If exploited, CWE-558 (Use of getlogin() in Multithreaded Application) it can compromise Integrity, Access Control and Other, leading to outcomes such as Modify Application Data, Bypass Protection Mechanism and Other.
Recommended mitigations for CWE-558 include: Using names for security purposes is not advised. Names are easy to forge and can have overlapping user IDs, potentially causing confusion or impersonation. Use getlogin_r() instead, which is reentrant, meaning that other processes are locked out from changing the username.
CWE-558 commonly affects C and C++. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-558 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.