CWE-362
Allowed-with-ReviewConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Abstraction: Class · Status: Draft
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
2903 vulnerabilities reference this CWE, most recent first.
GHSA-9FRC-28R7-WX7X
Vulnerability from github – Published: 2022-08-02 00:00 – Updated: 2022-08-06 00:00In video codec, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06521260; Issue ID: ALPS06521260.
{
"affected": [],
"aliases": [
"CVE-2022-26428"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-01T14:15:00Z",
"severity": "MODERATE"
},
"details": "In video codec, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06521260; Issue ID: ALPS06521260.",
"id": "GHSA-9frc-28r7-wx7x",
"modified": "2022-08-06T00:00:54Z",
"published": "2022-08-02T00:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26428"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/August-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9FRP-399H-R9J4
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, missing race condition protection while updating msg mask table can lead to buffer over-read. Also access to freed memory can happen while updating msg_mask information.
{
"affected": [],
"aliases": [
"CVE-2017-8279"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-16T22:29:00Z",
"severity": "HIGH"
},
"details": "In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, missing race condition protection while updating msg mask table can lead to buffer over-read. Also access to freed memory can happen while updating msg_mask information.",
"id": "GHSA-9frp-399h-r9j4",
"modified": "2022-05-13T01:47:26Z",
"published": "2022-05-13T01:47:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8279"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2017-11-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9FWF-H53Q-XXW3
Vulnerability from github – Published: 2024-07-11 00:32 – Updated: 2025-02-07 21:30A Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability the
Routing Protocol Daemon (rpd)
of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to inject incremental routing updates when BGP multipath is enabled, causing rpd to crash and restart, resulting in a Denial of Service (DoS). Since this is a timing issue (race condition), the successful exploitation of this vulnerability is outside the attacker's control. However, continued receipt and processing of this packet may create a sustained Denial of Service (DoS) condition.
On all Junos OS and Junos OS Evolved platforms with BGP multipath enabled, a specific multipath calculation removes the original next hop from the multipath lead routes nexthop-set. When this change happens, multipath relies on certain internal timing to record the update. Under certain circumstance and with specific timing, this could result in an rpd crash.
This issue only affects systems with BGP multipath enabled.
This issue affects:
Junos OS:
- All versions of 21.1
- from 21.2 before 21.2R3-S7,
- from 21.4 before 21.4R3-S6,
- from 22.1 before 22.1R3-S5,
- from 22.2 before 22.2R3-S3,
- from 22.3 before 22.3R3-S2,
- from 22.4 before 22.4R3,
- from 23.2 before 23.2R2.
Junos OS Evolved:
- All versions of 21.1-EVO,
- All versions of 21.2-EVO,
- from 21.4-EVO before 21.4R3-S6-EVO,
- from 22.1-EVO before 22.1R3-S5-EVO,
- from 22.2-EVO before 22.2R3-S3-EVO,
- from 22.3-EVO before 22.3R3-S2-EVO,
- from 22.4-EVO before 22.4R3-EVO,
- from 23.2-EVO before 23.2R2-EVO.
Versions of Junos OS before 21.1R1 are unaffected by this vulnerability. Versions of Junos OS Evolved before 21.1R1-EVO are unaffected by this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-39554"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-10T23:15:11Z",
"severity": "HIGH"
},
"details": "A Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027) vulnerability the \n\nRouting Protocol Daemon (rpd)\n\n of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to inject incremental routing updates when BGP multipath is enabled, causing rpd to crash and restart, resulting in a Denial of Service (DoS). Since this is a timing issue (race condition), the successful exploitation of this vulnerability is outside the attacker\u0027s control.\u00a0 However, continued receipt and processing of this packet may create a sustained Denial of Service (DoS) condition.\n\nOn all Junos OS and Junos OS Evolved platforms with BGP multipath enabled, a specific multipath calculation removes the original next hop from the multipath lead routes nexthop-set. When this change happens, multipath relies on certain internal timing to record the update.\u00a0 Under certain circumstance and with specific timing, this could result in an rpd crash.\n\nThis issue only affects systems with BGP multipath enabled.\n\n\nThis issue affects:\n\nJunos OS: \n\n\n * All versions of 21.1\n * from 21.2 before 21.2R3-S7, \n * from 21.4 before 21.4R3-S6, \n * from 22.1 before 22.1R3-S5, \n * from 22.2 before 22.2R3-S3, \n * from 22.3 before 22.3R3-S2, \n * from 22.4 before 22.4R3, \n * from 23.2 before 23.2R2.\n\n\n\n\nJunos OS Evolved: \n\n\n * All versions of 21.1-EVO,\n * All versions of 21.2-EVO,\n * from 21.4-EVO before 21.4R3-S6-EVO, \n * from 22.1-EVO before 22.1R3-S5-EVO, \n * from 22.2-EVO before 22.2R3-S3-EVO, \n * from 22.3-EVO before 22.3R3-S2-EVO, \n * from 22.4-EVO before 22.4R3-EVO, \n * from 23.2-EVO before 23.2R2-EVO.\n\n\n\nVersions of Junos OS before 21.1R1 are unaffected by this vulnerability.\nVersions of Junos OS Evolved before 21.1R1-EVO are unaffected by this vulnerability.",
"id": "GHSA-9fwf-h53q-xxw3",
"modified": "2025-02-07T21:30:57Z",
"published": "2024-07-11T00:32:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39554"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA83014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9GJV-4X58-J6R8
Vulnerability from github – Published: 2026-02-10 18:30 – Updated: 2026-02-10 18:30Race condition for some TDX Module before version tdx1.5 within Ring 0: Hypervisor may allow a denial of service. Authorized adversary with a privileged user combined with a high complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (low) impacts.
{
"affected": [],
"aliases": [
"CVE-2025-31944"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-10T17:16:15Z",
"severity": "MODERATE"
},
"details": "Race condition for some TDX Module before version tdx1.5 within Ring 0: Hypervisor may allow a denial of service. Authorized adversary with a privileged user combined with a high complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (low) impacts.",
"id": "GHSA-9gjv-4x58-j6r8",
"modified": "2026-02-10T18:30:40Z",
"published": "2026-02-10T18:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31944"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01397.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9GPJ-6MG9-3Q6Q
Vulnerability from github – Published: 2022-05-01 18:05 – Updated: 2022-05-01 18:05xfs_fsr in xfsdump creates a .fsr temporary directory with insecure permissions, which allows local users to read or overwrite arbitrary files on xfs filesystems.
{
"affected": [],
"aliases": [
"CVE-2007-2654"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-05-14T21:19:00Z",
"severity": "MODERATE"
},
"details": "xfs_fsr in xfsdump creates a .fsr temporary directory with insecure permissions, which allows local users to read or overwrite arbitrary files on xfs filesystems.",
"id": "GHSA-9gpj-6mg9-3q6q",
"modified": "2022-05-01T18:05:41Z",
"published": "2022-05-01T18:05:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-2654"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=417894"
},
{
"type": "WEB",
"url": "http://osvdb.org/36716"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/25220"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/25425"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/25761"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26867"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:134"
},
{
"type": "WEB",
"url": "http://www.novell.com/linux/security/advisories/2007_10_sr.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/23922"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/usn-516-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9H85-G7W3-RH49
Vulnerability from github – Published: 2026-07-15 22:51 – Updated: 2026-07-15 22:51Reused Component Instances Retain Stale Render Context
Summary
ViewComponent::Base instances retain multiple render-scoped objects across calls to render_in. If the same component, collection, or spacer component instance is reused across requests, users, tenants, or threads, later renders can use stale helpers, controller, request, view_flow, format/variant details, and slot child context from an earlier render.
This can cause authorization-aware components to render privileged UI for a lower-privileged user, generate links using a stale Host header, leak slot/helper state, and mix request context under concurrent rendering.
Severity
The PoC demonstrates cross-user authorization impact in a realistic downstream application pattern. If the receiving program accepts downstream cross-user authorization impact as a scope-changing impact for a framework vulnerability, an alternative High score can be assigned:
Alternative CVSS: 8.2
Alternative vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected Code
Validated against:
- Repository commit:
eea79445 - Ruby:
3.4.9
Relevant locations:
lib/view_component/base.rbrender_incontrollerhelpers__vc_requestlib/view_component/slot.rbSlot#to_slib/view_component/slotable.rb- slot storage in
@__vc_set_slots lib/view_component/collection.rb- child component memoization and spacer rendering
Key retained state:
@view_context = view_context
self.__vc_original_view_context ||= view_context
@lookup_context ||= view_context.lookup_context
@view_flow ||= view_context.view_flow
@__vc_requested_details ||= @lookup_context.vc_requested_details
@__vc_controller ||= view_context.controller
@__vc_helpers ||= __vc_original_view_context || controller.view_context
@__vc_request ||= controller.request if controller.respond_to?(:request)
Slot children also inherit the parent original view context:
@__vc_component_instance.__vc_original_view_context = @parent.__vc_original_view_context
Collections memoize child component instances:
return @components if defined? @components
Root Cause
Component instances are mutable render objects. render_in updates some per-render fields, but many request-scoped values are memoized using ||= or stored for later slot/collection rendering.
There is no runtime guard preventing a component instance from being rendered multiple times under different view contexts, and there is no full reset of render-scoped state at the start of each render.
Maintainer discussion in prior PRs notes that component instances should not be shared between renders, but the current runtime does not enforce this invariant.
Proof of Concept
The following PoC demonstrates four independent effects:
- stale authorization gate
- stale Host/request data in generated absolute URLs
- stale slot child context
- cross-thread context mixing
Run from the repository root:
$LOAD_PATH.unshift File.expand_path("lib", Dir.pwd)
require "action_controller/railtie"
require "rack/mock"
require "view_component/base"
class ReusePocController < ActionController::Base
helper_method :current_user, :admin?
attr_accessor :current_user, :role
def admin? = role == :admin
end
routes = ActionDispatch::Routing::RouteSet.new
routes.draw { get "/accounts/:id", to: "accounts#show" }
ReusePocController.include routes.url_helpers
class AdminPanelComponent < ViewComponent::Base
def render? = helpers.admin?
def call
href = helpers.url_for(controller: "accounts", action: "show", id: 42, only_path: false)
"ADMIN user=#{helpers.current_user};host=#{request.host};href=#{href}".html_safe
end
end
class UrlOnlyComponent < ViewComponent::Base
def call
href = helpers.url_for(controller: "accounts", action: "show", id: 42, only_path: false)
"user=#{helpers.current_user};host=#{request.host};href=#{href}".html_safe
end
end
class SlotChildComponent < ViewComponent::Base
def call = "child_user=#{helpers.current_user};child_path=#{request.path}".html_safe
end
class SlotParentComponent < ViewComponent::Base
renders_one :child, SlotChildComponent
def call = "parent_user=#{helpers.current_user};parent_path=#{request.path};".html_safe + child.to_s
end
class RaceComponent < ViewComponent::Base
def before_render = sleep 0.05
def call = "#{helpers.current_user}@#{request.path}".html_safe
end
def vc(user:, role:, path:, host: "app.example")
c = ReusePocController.new
c.current_user = user
c.role = role
c.set_request!(ActionDispatch::Request.new(Rack::MockRequest.env_for(path, "HTTP_HOST" => host)))
c.set_response!(ActionDispatch::Response.new)
c.view_context
end
admin_vc = vc(user: "alice", role: :admin, path: "/admin", host: "admin.example")
guest_vc = vc(user: "bob", role: :guest, path: "/guest", host: "app.example")
panel = AdminPanelComponent.new
puts "auth_admin_first=#{panel.render_in(admin_vc)}"
puts "auth_guest_reused=#{panel.render_in(guest_vc)}"
puts "auth_guest_fresh=#{AdminPanelComponent.new.render_in(guest_vc).inspect}"
url = UrlOnlyComponent.new
puts "host_attacker_prime=#{url.render_in(vc(user: "attacker", role: :guest, path: "/prime", host: "evil.example"))}"
puts "host_victim_reused=#{url.render_in(vc(user: "victim", role: :guest, path: "/account", host: "app.example"))}"
puts "host_victim_fresh=#{UrlOnlyComponent.new.render_in(vc(user: "victim", role: :guest, path: "/account", host: "app.example"))}"
parent = SlotParentComponent.new
puts "slot_admin_first=#{parent.render_in(admin_vc) { |p| p.with_child }}"
puts "slot_guest_reused=#{parent.render_in(guest_vc) { |p| p.with_child }}"
puts "slot_guest_fresh=#{SlotParentComponent.new.render_in(guest_vc) { |p| p.with_child }}"
race = RaceComponent.new
q = Queue.new
t1 = Thread.new { q << [:admin, race.render_in(vc(user: "admin", role: :admin, path: "/admin"))] }
t2 = Thread.new { q << [:guest, race.render_in(vc(user: "guest", role: :guest, path: "/guest"))] }
t1.join
t2.join
results = 2.times.map { q.pop }.to_h
puts "race_admin_thread=#{results[:admin]}"
puts "race_guest_thread=#{results[:guest]}"
Observed output:
auth_admin_first=ADMIN user=alice;host=admin.example;href=http://admin.example/accounts/42
auth_guest_reused=ADMIN user=alice;host=admin.example;href=http://admin.example/accounts/42
auth_guest_fresh=""
host_attacker_prime=user=attacker;host=evil.example;href=http://evil.example/accounts/42
host_victim_reused=user=attacker;host=evil.example;href=http://evil.example/accounts/42
host_victim_fresh=user=victim;host=app.example;href=http://app.example/accounts/42
slot_admin_first=parent_user=alice;parent_path=/admin;child_user=alice;child_path=/admin
slot_guest_reused=parent_user=alice;parent_path=/admin;child_user=alice;child_path=/guest
slot_guest_fresh=parent_user=bob;parent_path=/guest;child_user=bob;child_path=/guest
race_admin_thread=admin@/guest
race_guest_thread=admin@/guest
Authorization-Impact PoC
The following PoC models a realistic downstream application pattern: a shared component registry caches component objects instead of caching component classes, factories, or rendered strings. An admin request primes the cached toolbar component. A later guest request renders the same cached object.
The component uses render? as an authorization-aware visibility gate and emits a representative privileged action link.
$LOAD_PATH.unshift File.expand_path("lib", Dir.pwd)
require "action_controller/railtie"
require "rack/mock"
require "view_component/base"
module SharedComponentRegistry
def self.admin_toolbar
@admin_toolbar ||= AdminToolbarComponent.new
end
def self.reset!
remove_instance_variable(:@admin_toolbar) if defined?(@admin_toolbar)
end
end
User = Struct.new(:id, :role, keyword_init: true) do
def admin? = role == :admin
end
class AppController < ActionController::Base
helper_method :current_user, :admin?
attr_accessor :current_user
def admin?
current_user&.admin?
end
end
routes = ActionDispatch::Routing::RouteSet.new
routes.draw do
get "/admin/users/:id/impersonate", to: "admin/users#impersonate", as: :impersonate_admin_user
end
AppController.include routes.url_helpers
class AdminToolbarComponent < ViewComponent::Base
def render?
helpers.admin?
end
def call
helpers.link_to(
"Impersonate user 42",
helpers.impersonate_admin_user_url(42, host: request.host),
data: { turbo_method: :post }
)
end
end
class DashboardController < AppController
def render_dashboard_with_shared_component
render_to_string(inline: '<main><h1>Dashboard</h1><%= render SharedComponentRegistry.admin_toolbar %></main>')
end
def render_dashboard_with_fresh_component
render_to_string(inline: '<main><h1>Dashboard</h1><%= render AdminToolbarComponent.new %></main>')
end
end
def controller_for(user:, host:, path: "/dashboard")
c = DashboardController.new
c.current_user = user
c.set_request!(ActionDispatch::Request.new(Rack::MockRequest.env_for(path, "HTTP_HOST" => host)))
c.set_response!(ActionDispatch::Response.new)
c
end
SharedComponentRegistry.reset!
admin = User.new(id: 1, role: :admin)
guest = User.new(id: 2, role: :guest)
admin_response = controller_for(user: admin, host: "admin.example").render_dashboard_with_shared_component
guest_reused_response = controller_for(user: guest, host: "app.example").render_dashboard_with_shared_component
guest_fresh_response = controller_for(user: guest, host: "app.example").render_dashboard_with_fresh_component
puts "admin_shared_contains_admin_link=#{admin_response.include?('/admin/users/42/impersonate')}"
puts "guest_reused_contains_admin_link=#{guest_reused_response.include?('/admin/users/42/impersonate')}"
puts "guest_fresh_contains_admin_link=#{guest_fresh_response.include?('/admin/users/42/impersonate')}"
puts "guest_reused_contains_admin_host=#{guest_reused_response.include?('http://admin.example/admin/users/42/impersonate')}"
puts "guest_reused_response=#{guest_reused_response.gsub(/\s+/, ' ').strip}"
puts "guest_fresh_response=#{guest_fresh_response.gsub(/\s+/, ' ').strip.inspect}"
Observed output:
admin_shared_contains_admin_link=true
guest_reused_contains_admin_link=true
guest_fresh_contains_admin_link=false
guest_reused_contains_admin_host=true
guest_reused_response=<main><h1>Dashboard</h1><a data-turbo-method="post" href="http://admin.example/admin/users/42/impersonate">Impersonate user 42</a></main>
guest_fresh_response="<main><h1>Dashboard</h1></main>"
This confirms a cross-user authorization impact in a realistic pattern: a guest receives privileged UI that a fresh component correctly suppresses. It also confirms stale request and Host context in the generated privileged URL.
Exploit Scenario
A downstream app stores component instances in a constant, singleton service, memoized helper, cache object, or shared collection builder to avoid allocation. An attacker or lower-privileged user later triggers rendering of that same object.
Potential real-world examples:
- A navigation/sidebar component checks
helpers.admin?inrender?. - A tenant switcher uses
request.hostorcurrent_user.account. - A component emits absolute URLs or signed action links.
- A table uses slot child components that rely on helper/request state.
- A global UI registry stores instantiated spacer or child components.
In these cases, a component first rendered under an admin or attacker-controlled request can affect later renders for other users.
Impact
Confirmed impact classes:
- stale privileged UI rendering
- stale user identity through
helpers - stale Host/request data in generated absolute URLs
- slot child context inheritance
- cross-thread context corruption
- stale format/variant template selection
- stale
view_flow/content_forwrites - collection and spacer component context leakage
This can chain into privilege escalation if an application relies on UI visibility as an authorization boundary. It can also leak signed links, tenant-specific URLs, admin actions, or user-specific data.
Preconditions
- The same component, collection, slot, or spacer component instance is reused across render contexts.
- The component reads request-scoped or user-scoped APIs such as
helpers,controller,request, URL helpers,render?,before_render, slots, variants, formats, orcontent_for. - Higher impact when the shared object crosses users, tenants, roles, or threads.
Normal per-request usage such as render(MyComponent.new(...)) is not affected.
Chaining Potential
This issue can chain with:
- UI-only authorization checks
- signed admin links embedded in components
- Host header poisoning
- multi-tenant routing based on host/subdomain
- shared component registries
- fragment/component caching patterns that cache objects rather than rendered strings
- concurrent Rails servers such as Puma
The framework alone does not directly prove account takeover, but downstream applications can reach high impact if stale component output exposes privileged action links or bypasses server-side authorization assumptions.
Remediation
The safest fix is to make component and collection instances one-shot renderables.
Recommended options:
- Add a runtime guard in
render_inthat raises or warns when the same component instance is rendered again with a differentview_context. - Reset render-scoped ivars at the beginning of every render, including:
__vc_original_view_context@lookup_context@view_flow@__vc_requested_details@__vc_controller@__vc_helpers@__vc_request- Rebuild
ViewComponent::Collectionchild component instances per render or document/enforce collections as one-shot. - Avoid accepting a reusable instantiated
spacer_component, or reset/clone it before rendering. - Add thread-safety tests for concurrent rendering of a shared instance.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "view_component"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54497"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-488",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-15T22:51:33Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "# Reused Component Instances Retain Stale Render Context\n\n## Summary\n\n`ViewComponent::Base` instances retain multiple render-scoped objects across calls to `render_in`. If the same component, collection, or spacer component instance is reused across requests, users, tenants, or threads, later renders can use stale `helpers`, `controller`, `request`, `view_flow`, format/variant details, and slot child context from an earlier render.\n\nThis can cause authorization-aware components to render privileged UI for a lower-privileged user, generate links using a stale Host header, leak slot/helper state, and mix request context under concurrent rendering.\n\n## Severity\n\nThe PoC demonstrates cross-user authorization impact in a realistic downstream application pattern.\nIf the receiving program accepts downstream cross-user authorization impact as a scope-changing impact for a framework vulnerability, an alternative High score can be assigned:\n\nAlternative CVSS: 8.2\nAlternative vector: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N`\n\n## Affected Code\n\nValidated against:\n\n- Repository commit: `eea79445`\n- Ruby: `3.4.9`\n\nRelevant locations:\n\n- `lib/view_component/base.rb`\n - `render_in`\n - `controller`\n - `helpers`\n - `__vc_request`\n- `lib/view_component/slot.rb`\n - `Slot#to_s`\n- `lib/view_component/slotable.rb`\n - slot storage in `@__vc_set_slots`\n- `lib/view_component/collection.rb`\n - child component memoization and spacer rendering\n\nKey retained state:\n\n```ruby\n@view_context = view_context\nself.__vc_original_view_context ||= view_context\n@lookup_context ||= view_context.lookup_context\n@view_flow ||= view_context.view_flow\n@__vc_requested_details ||= @lookup_context.vc_requested_details\n```\n\n```ruby\n@__vc_controller ||= view_context.controller\n@__vc_helpers ||= __vc_original_view_context || controller.view_context\n@__vc_request ||= controller.request if controller.respond_to?(:request)\n```\n\nSlot children also inherit the parent original view context:\n\n```ruby\n@__vc_component_instance.__vc_original_view_context = @parent.__vc_original_view_context\n```\n\nCollections memoize child component instances:\n\n```ruby\nreturn @components if defined? @components\n```\n\n## Root Cause\n\nComponent instances are mutable render objects. `render_in` updates some per-render fields, but many request-scoped values are memoized using `||=` or stored for later slot/collection rendering.\n\nThere is no runtime guard preventing a component instance from being rendered multiple times under different view contexts, and there is no full reset of render-scoped state at the start of each render.\n\nMaintainer discussion in prior PRs notes that component instances should not be shared between renders, but the current runtime does not enforce this invariant.\n\n## Proof of Concept\n\nThe following PoC demonstrates four independent effects:\n\n- stale authorization gate\n- stale Host/request data in generated absolute URLs\n- stale slot child context\n- cross-thread context mixing\n\nRun from the repository root:\n\n```ruby\n$LOAD_PATH.unshift File.expand_path(\"lib\", Dir.pwd)\nrequire \"action_controller/railtie\"\nrequire \"rack/mock\"\nrequire \"view_component/base\"\n\nclass ReusePocController \u003c ActionController::Base\n helper_method :current_user, :admin?\n attr_accessor :current_user, :role\n def admin? = role == :admin\nend\n\nroutes = ActionDispatch::Routing::RouteSet.new\nroutes.draw { get \"/accounts/:id\", to: \"accounts#show\" }\nReusePocController.include routes.url_helpers\n\nclass AdminPanelComponent \u003c ViewComponent::Base\n def render? = helpers.admin?\n\n def call\n href = helpers.url_for(controller: \"accounts\", action: \"show\", id: 42, only_path: false)\n \"ADMIN user=#{helpers.current_user};host=#{request.host};href=#{href}\".html_safe\n end\nend\n\nclass UrlOnlyComponent \u003c ViewComponent::Base\n def call\n href = helpers.url_for(controller: \"accounts\", action: \"show\", id: 42, only_path: false)\n \"user=#{helpers.current_user};host=#{request.host};href=#{href}\".html_safe\n end\nend\n\nclass SlotChildComponent \u003c ViewComponent::Base\n def call = \"child_user=#{helpers.current_user};child_path=#{request.path}\".html_safe\nend\n\nclass SlotParentComponent \u003c ViewComponent::Base\n renders_one :child, SlotChildComponent\n def call = \"parent_user=#{helpers.current_user};parent_path=#{request.path};\".html_safe + child.to_s\nend\n\nclass RaceComponent \u003c ViewComponent::Base\n def before_render = sleep 0.05\n def call = \"#{helpers.current_user}@#{request.path}\".html_safe\nend\n\ndef vc(user:, role:, path:, host: \"app.example\")\n c = ReusePocController.new\n c.current_user = user\n c.role = role\n c.set_request!(ActionDispatch::Request.new(Rack::MockRequest.env_for(path, \"HTTP_HOST\" =\u003e host)))\n c.set_response!(ActionDispatch::Response.new)\n c.view_context\nend\n\nadmin_vc = vc(user: \"alice\", role: :admin, path: \"/admin\", host: \"admin.example\")\nguest_vc = vc(user: \"bob\", role: :guest, path: \"/guest\", host: \"app.example\")\n\npanel = AdminPanelComponent.new\nputs \"auth_admin_first=#{panel.render_in(admin_vc)}\"\nputs \"auth_guest_reused=#{panel.render_in(guest_vc)}\"\nputs \"auth_guest_fresh=#{AdminPanelComponent.new.render_in(guest_vc).inspect}\"\n\nurl = UrlOnlyComponent.new\nputs \"host_attacker_prime=#{url.render_in(vc(user: \"attacker\", role: :guest, path: \"/prime\", host: \"evil.example\"))}\"\nputs \"host_victim_reused=#{url.render_in(vc(user: \"victim\", role: :guest, path: \"/account\", host: \"app.example\"))}\"\nputs \"host_victim_fresh=#{UrlOnlyComponent.new.render_in(vc(user: \"victim\", role: :guest, path: \"/account\", host: \"app.example\"))}\"\n\nparent = SlotParentComponent.new\nputs \"slot_admin_first=#{parent.render_in(admin_vc) { |p| p.with_child }}\"\nputs \"slot_guest_reused=#{parent.render_in(guest_vc) { |p| p.with_child }}\"\nputs \"slot_guest_fresh=#{SlotParentComponent.new.render_in(guest_vc) { |p| p.with_child }}\"\n\nrace = RaceComponent.new\nq = Queue.new\nt1 = Thread.new { q \u003c\u003c [:admin, race.render_in(vc(user: \"admin\", role: :admin, path: \"/admin\"))] }\nt2 = Thread.new { q \u003c\u003c [:guest, race.render_in(vc(user: \"guest\", role: :guest, path: \"/guest\"))] }\nt1.join\nt2.join\nresults = 2.times.map { q.pop }.to_h\nputs \"race_admin_thread=#{results[:admin]}\"\nputs \"race_guest_thread=#{results[:guest]}\"\n```\n\nObserved output:\n\n```text\nauth_admin_first=ADMIN user=alice;host=admin.example;href=http://admin.example/accounts/42\nauth_guest_reused=ADMIN user=alice;host=admin.example;href=http://admin.example/accounts/42\nauth_guest_fresh=\"\"\n\nhost_attacker_prime=user=attacker;host=evil.example;href=http://evil.example/accounts/42\nhost_victim_reused=user=attacker;host=evil.example;href=http://evil.example/accounts/42\nhost_victim_fresh=user=victim;host=app.example;href=http://app.example/accounts/42\n\nslot_admin_first=parent_user=alice;parent_path=/admin;child_user=alice;child_path=/admin\nslot_guest_reused=parent_user=alice;parent_path=/admin;child_user=alice;child_path=/guest\nslot_guest_fresh=parent_user=bob;parent_path=/guest;child_user=bob;child_path=/guest\n\nrace_admin_thread=admin@/guest\nrace_guest_thread=admin@/guest\n```\n\n## Authorization-Impact PoC\n\nThe following PoC models a realistic downstream application pattern: a shared component registry caches component objects instead of caching component classes, factories, or rendered strings. An admin request primes the cached toolbar component. A later guest request renders the same cached object.\n\nThe component uses `render?` as an authorization-aware visibility gate and emits a representative privileged action link.\n\n```ruby\n$LOAD_PATH.unshift File.expand_path(\"lib\", Dir.pwd)\nrequire \"action_controller/railtie\"\nrequire \"rack/mock\"\nrequire \"view_component/base\"\n\nmodule SharedComponentRegistry\n def self.admin_toolbar\n @admin_toolbar ||= AdminToolbarComponent.new\n end\n\n def self.reset!\n remove_instance_variable(:@admin_toolbar) if defined?(@admin_toolbar)\n end\nend\n\nUser = Struct.new(:id, :role, keyword_init: true) do\n def admin? = role == :admin\nend\n\nclass AppController \u003c ActionController::Base\n helper_method :current_user, :admin?\n attr_accessor :current_user\n\n def admin?\n current_user\u0026.admin?\n end\nend\n\nroutes = ActionDispatch::Routing::RouteSet.new\nroutes.draw do\n get \"/admin/users/:id/impersonate\", to: \"admin/users#impersonate\", as: :impersonate_admin_user\nend\nAppController.include routes.url_helpers\n\nclass AdminToolbarComponent \u003c ViewComponent::Base\n def render?\n helpers.admin?\n end\n\n def call\n helpers.link_to(\n \"Impersonate user 42\",\n helpers.impersonate_admin_user_url(42, host: request.host),\n data: { turbo_method: :post }\n )\n end\nend\n\nclass DashboardController \u003c AppController\n def render_dashboard_with_shared_component\n render_to_string(inline: \u0027\u003cmain\u003e\u003ch1\u003eDashboard\u003c/h1\u003e\u003c%= render SharedComponentRegistry.admin_toolbar %\u003e\u003c/main\u003e\u0027)\n end\n\n def render_dashboard_with_fresh_component\n render_to_string(inline: \u0027\u003cmain\u003e\u003ch1\u003eDashboard\u003c/h1\u003e\u003c%= render AdminToolbarComponent.new %\u003e\u003c/main\u003e\u0027)\n end\nend\n\ndef controller_for(user:, host:, path: \"/dashboard\")\n c = DashboardController.new\n c.current_user = user\n c.set_request!(ActionDispatch::Request.new(Rack::MockRequest.env_for(path, \"HTTP_HOST\" =\u003e host)))\n c.set_response!(ActionDispatch::Response.new)\n c\nend\n\nSharedComponentRegistry.reset!\nadmin = User.new(id: 1, role: :admin)\nguest = User.new(id: 2, role: :guest)\n\nadmin_response = controller_for(user: admin, host: \"admin.example\").render_dashboard_with_shared_component\nguest_reused_response = controller_for(user: guest, host: \"app.example\").render_dashboard_with_shared_component\nguest_fresh_response = controller_for(user: guest, host: \"app.example\").render_dashboard_with_fresh_component\n\nputs \"admin_shared_contains_admin_link=#{admin_response.include?(\u0027/admin/users/42/impersonate\u0027)}\"\nputs \"guest_reused_contains_admin_link=#{guest_reused_response.include?(\u0027/admin/users/42/impersonate\u0027)}\"\nputs \"guest_fresh_contains_admin_link=#{guest_fresh_response.include?(\u0027/admin/users/42/impersonate\u0027)}\"\nputs \"guest_reused_contains_admin_host=#{guest_reused_response.include?(\u0027http://admin.example/admin/users/42/impersonate\u0027)}\"\nputs \"guest_reused_response=#{guest_reused_response.gsub(/\\s+/, \u0027 \u0027).strip}\"\nputs \"guest_fresh_response=#{guest_fresh_response.gsub(/\\s+/, \u0027 \u0027).strip.inspect}\"\n```\n\nObserved output:\n\n```text\nadmin_shared_contains_admin_link=true\nguest_reused_contains_admin_link=true\nguest_fresh_contains_admin_link=false\nguest_reused_contains_admin_host=true\nguest_reused_response=\u003cmain\u003e\u003ch1\u003eDashboard\u003c/h1\u003e\u003ca data-turbo-method=\"post\" href=\"http://admin.example/admin/users/42/impersonate\"\u003eImpersonate user 42\u003c/a\u003e\u003c/main\u003e\nguest_fresh_response=\"\u003cmain\u003e\u003ch1\u003eDashboard\u003c/h1\u003e\u003c/main\u003e\"\n```\n\nThis confirms a cross-user authorization impact in a realistic pattern: a guest receives privileged UI that a fresh component correctly suppresses. It also confirms stale request and Host context in the generated privileged URL.\n\n## Exploit Scenario\n\nA downstream app stores component instances in a constant, singleton service, memoized helper, cache object, or shared collection builder to avoid allocation. An attacker or lower-privileged user later triggers rendering of that same object.\n\nPotential real-world examples:\n\n- A navigation/sidebar component checks `helpers.admin?` in `render?`.\n- A tenant switcher uses `request.host` or `current_user.account`.\n- A component emits absolute URLs or signed action links.\n- A table uses slot child components that rely on helper/request state.\n- A global UI registry stores instantiated spacer or child components.\n\nIn these cases, a component first rendered under an admin or attacker-controlled request can affect later renders for other users.\n\n## Impact\n\nConfirmed impact classes:\n\n- stale privileged UI rendering\n- stale user identity through `helpers`\n- stale Host/request data in generated absolute URLs\n- slot child context inheritance\n- cross-thread context corruption\n- stale format/variant template selection\n- stale `view_flow` / `content_for` writes\n- collection and spacer component context leakage\n\nThis can chain into privilege escalation if an application relies on UI visibility as an authorization boundary. It can also leak signed links, tenant-specific URLs, admin actions, or user-specific data.\n\n## Preconditions\n\n- The same component, collection, slot, or spacer component instance is reused across render contexts.\n- The component reads request-scoped or user-scoped APIs such as `helpers`, `controller`, `request`, URL helpers, `render?`, `before_render`, slots, variants, formats, or `content_for`.\n- Higher impact when the shared object crosses users, tenants, roles, or threads.\n\nNormal per-request usage such as `render(MyComponent.new(...))` is not affected.\n\n## Chaining Potential\n\nThis issue can chain with:\n\n- UI-only authorization checks\n- signed admin links embedded in components\n- Host header poisoning\n- multi-tenant routing based on host/subdomain\n- shared component registries\n- fragment/component caching patterns that cache objects rather than rendered strings\n- concurrent Rails servers such as Puma\n\nThe framework alone does not directly prove account takeover, but downstream applications can reach high impact if stale component output exposes privileged action links or bypasses server-side authorization assumptions.\n\n## Remediation\n\nThe safest fix is to make component and collection instances one-shot renderables.\n\nRecommended options:\n\n1. Add a runtime guard in `render_in` that raises or warns when the same component instance is rendered again with a different `view_context`.\n2. Reset render-scoped ivars at the beginning of every render, including:\n - `__vc_original_view_context`\n - `@lookup_context`\n - `@view_flow`\n - `@__vc_requested_details`\n - `@__vc_controller`\n - `@__vc_helpers`\n - `@__vc_request`\n3. Rebuild `ViewComponent::Collection` child component instances per render or document/enforce collections as one-shot.\n4. Avoid accepting a reusable instantiated `spacer_component`, or reset/clone it before rendering.\n5. Add thread-safety tests for concurrent rendering of a shared instance.",
"id": "GHSA-9h85-g7w3-rh49",
"modified": "2026-07-15T22:51:33Z",
"published": "2026-07-15T22:51:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-9h85-g7w3-rh49"
},
{
"type": "WEB",
"url": "https://github.com/ViewComponent/view_component/commit/7b05073be28037f7d5ff141e9dd42f3cf47956a4"
},
{
"type": "PACKAGE",
"url": "https://github.com/ViewComponent/view_component"
},
{
"type": "WEB",
"url": "https://github.com/ViewComponent/view_component/releases/tag/v4.12.0"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2026-54497.yml"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54497"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "ViewComponent: Reused Component Instances Retain Stale Render Context"
}
GHSA-9H9F-XMHF-8GQC
Vulnerability from github – Published: 2025-11-28 03:30 – Updated: 2025-11-28 03:30Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability.
{
"affected": [],
"aliases": [
"CVE-2025-64313"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-28T03:16:00Z",
"severity": "MODERATE"
},
"details": "Denial of service (DoS) vulnerability in the office service.\nImpact: Successful exploitation of this vulnerability may affect availability.",
"id": "GHSA-9h9f-xmhf-8gqc",
"modified": "2025-11-28T03:30:27Z",
"published": "2025-11-28T03:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64313"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2025/11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9HPW-R23R-XGM5
Vulnerability from github – Published: 2022-06-17 00:25 – Updated: 2022-06-17 00:25In the affected version of this crate, {Iter, IterMut}::next used a weaker memory ordering when loading values than what was required, exposing a potential data race
when iterating over a ThreadLocal's values.
Crates using Iter::next, or IterMut::next are affected by this issue.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "thread_local"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-17T00:25:46Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "In the affected version of this crate, `{Iter, IterMut}::next` used a weaker memory ordering when loading values than what was required, exposing a potential data race\nwhen iterating over a `ThreadLocal`\u0027s values.\n\nCrates using `Iter::next`, or `IterMut::next` are affected by this issue.\n",
"id": "GHSA-9hpw-r23r-xgm5",
"modified": "2022-06-17T00:25:46Z",
"published": "2022-06-17T00:25:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Amanieu/thread_local-rs/issues/33"
},
{
"type": "PACKAGE",
"url": "https://github.com/Amanieu/thread_local-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0006.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Data race in `Iter` and `IterMut`"
}
GHSA-9HQ3-7CHC-XFF2
Vulnerability from github – Published: 2023-10-10 18:31 – Updated: 2024-04-04 08:32Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-41774"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-10T18:15:18Z",
"severity": "HIGH"
},
"details": "Layer 2 Tunneling Protocol Remote Code Execution Vulnerability",
"id": "GHSA-9hq3-7chc-xff2",
"modified": "2024-04-04T08:32:52Z",
"published": "2023-10-10T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41774"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41774"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9HQH-QQFF-45P6
Vulnerability from github – Published: 2022-05-17 04:18 – Updated: 2022-05-17 04:18Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4) virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not properly verify that the disk is attached, which allows remote read-only attackers to cause a denial of service (libvirtd crash) via the virDomainDetachDeviceFlags command.
{
"affected": [],
"aliases": [
"CVE-2013-6458"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-01-24T18:55:00Z",
"severity": "MODERATE"
},
"details": "Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4) virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not properly verify that the disk is attached, which allows remote read-only attackers to cause a denial of service (libvirtd crash) via the virDomainDetachDeviceFlags command.",
"id": "GHSA-9hqh-qqff-45p6",
"modified": "2022-05-17T04:18:15Z",
"published": "2022-05-17T04:18:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6458"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1043069"
},
{
"type": "WEB",
"url": "http://libvirt.org/news.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00060.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00062.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0103.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/56186"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/56446"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/60895"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-201412-04.xml"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2014/dsa-2846"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2093-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
Mitigation
Use thread-safe capabilities such as the data access abstraction in Spring.
Mitigation
- Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
- Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
When using multithreading and operating on shared variables, only use thread-safe functions.
Mitigation
Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
Mitigation
Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.
Mitigation
Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.
Mitigation
Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.
Mitigation
Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.