The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.
View on MITREWithin servlets, shared static variables are not protected from concurrent access, but servlets are multithreaded. This is a typical programming mistake in J2EE applications, since the multithreading is handled by the framework. When a shared variable can be influenced by an attacker, one thread could wind up modifying the variable to contain data that is not valid for a different thread that is also using the data within the variable. Note that this weakness is not unique to servlets.
If the shared variable contains sensitive data, it may be manipulated or displayed in another user session. If this data is used to control the application, its value can be manipulated to cause the application to crash or perform poorly.
Remove the use of static variables used between servlets. If this cannot be avoided, use synchronized access for these variables.
No detection method information available for this CWE.
The following code implements a basic counter for how many times the page has been accesed.
Consider when two separate threads, Thread A and Thread B, concurrently handle two different requests:
No relationship information available for this CWE.
CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes. Within servlets, shared static variables are not protected from concurrent access, but servlets are multithreaded. This is a typical programming mistake in J2EE applications, since the multithreading is handled by the framework. When a shared variable can be influenced by an attacker, one thread could wind up modifying the variable to contain data that is not valid for a different thread that is also using the data within the variable. Note that this weakness is not unique to servlets.
If exploited, CWE-567 (Unsynchronized Access to Shared Data in a Multithreaded Context) it can compromise Confidentiality, Integrity and Availability, leading to outcomes such as Read Application Data, Modify Application Data, DoS: Instability and DoS: Crash, Exit, or Restart.
Recommended mitigations for CWE-567 include: Remove the use of static variables used between servlets. If this cannot be avoided, use synchronized access for these variables.
CWE-567 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-567 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.