logo

Use of Multiple Resources with Duplicate Identifier

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when a system uses multiple resources that can share the same identifier, even though the application logic requires each identifier to be unique.

Extended Description

When software is designed to assume that identifiers like file handles, session tokens, or database keys are always unique, sharing identifiers between resources breaks this fundamental assumption. This can happen due to race conditions, insufficient validation, or flawed resource allocation logic, creating a situation where the application cannot reliably distinguish between different objects or data streams. An attacker can exploit this by forcing two distinct resources—such as files, memory blocks, or user sessions—to be referenced by the same identifier. This causes the application to perform actions on the wrong resource, potentially leading to data corruption, information disclosure, or privilege escalation, as the system's control flow is diverted based on a compromised identifier.
Common Consequences 2
Scope: Access Control

Impact: Bypass Protection Mechanism

If unique identifiers are assumed when protecting sensitive resources, then duplicate identifiers might allow attackers to bypass the protection.

Scope: Other

Impact: Quality Degradation
Potential Mitigations 1
Phase: Architecture and Design
Where possible, use unique identifiers. If non-unique identifiers are detected, then do not operate any resource with a non-unique identifier and report the error appropriately.
Demonstrative Examples 1

ID : DX-221

These two Struts validation forms have the same name.

Code Example:

Bad
XML
xml
It is not certain which form will be used by Struts. It is critically important that validation logic be maintained and kept in sync with the rest of the product.
Observed Examples 1
CVE-2013-4787chain: mobile OS verifies cryptographic signature of file in an archive, but then installs a different file with the same name that is also listed in the archive.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Weaknesses
ChildOf: Improper Control of Resource Identifiers ('Resource Injection') (CWE-99)
ChildOf: Improper Following of Specification by Caller (CWE-573)
Notes
RelationshipThis weakness is probably closely associated with other issues related to doubling, such as Multiple Operations on Resource in Single-Operation Context (Duplicate Operations on Resource). It's often a case of an API contract violation (7PK - API Abuse).