Category: 7PK - Time and State
This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
| ID | Name | Description |
|---|---|---|
| CWE-364 | Signal Handler Race Condition | A signal handler race condition occurs when a program's signal handling routine is vulnerable to timing issues, allowing its state to be corrupted through asynchronous execution. |
| CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition | This vulnerability occurs when a program verifies a resource's state (like a file's permissions or existence) but then uses it after that state has already changed. The gap between checking and using creates a race window where an attacker can manipulate the resource, causing the program to operate on invalid or malicious data. |
| CWE-377 | Insecure Temporary File | This vulnerability occurs when an application creates temporary files with insecure permissions or in predictable locations, allowing attackers to read, modify, or delete sensitive data. |
| CWE-382 | J2EE Bad Practices: Use of System.exit() | This vulnerability occurs when a J2EE application directly calls System.exit(), which forcibly terminates the entire application server process, not just the application itself. |
| CWE-383 | J2EE Bad Practices: Direct Use of Threads | Creating or managing threads directly within a J2EE application is a risky practice that violates the platform's standards and often leads to unstable applications. |
| CWE-384 | Session Fixation | Session fixation occurs when an application authenticates a user without first destroying the previous session ID. This allows an attacker who knows that session identifier to hijack the user's authenticated session. |
| CWE-412 | Unrestricted Externally Accessible Lock | This vulnerability occurs when a system correctly checks for a lock's existence, but an unauthorized external actor can control or influence that lock. |
| CWE-700 | Seven Pernicious Kingdoms | This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms. |