logo

Multiple Operations on Resource in Single-Operation Context

Draft Class
Structure: Simple
Description

The product performs the same operation on a resource two or more times, when the operation should only be applied once.

Common Consequences 1
Scope: Other

Impact: Other
Demonstrative Examples 2

ID : DX-149

The following code shows a simple example of a double free vulnerability.

Code Example:

Bad
C
c
Double free vulnerabilities have two common (and sometimes overlapping) causes:
- Error conditions and other exceptional circumstances - Confusion over which part of the program is responsible for freeing the memory
Although some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.

ID : DX-184

This code binds a server socket to port 21, allowing the server to listen for traffic on that port.

Code Example:

Bad
C
c

/unlink the socket if already bound to avoid an error when bind() is called/*

c
This code may result in two servers binding a socket to same port, thus receiving each other's traffic. This could be used by an attacker to steal packets meant for another process, such as a secure FTP server.
Observed Examples 3
CVE-2009-0935Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice
CVE-2019-13351file descriptor double close can cause the wrong file to be associated with a file descriptor.
CVE-2004-1939XSS protection mechanism attempts to remove "/" that could be used to close tags, but it can be bypassed using double encoded slashes (%252F)
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Improper Following of Specification by Caller (CWE-573)
PeerOf: Explicit Call to Finalize() (CWE-586)
PeerOf: Struts: Duplicate Validation Forms (CWE-102)
Notes
RelationshipThis weakness is probably closely associated with other issues related to doubling, such as Duplicate Key in Associative List (Alist) (duplicate key in alist) or Struts: Duplicate Validation Forms (Struts duplicate validation forms). It's usually a case of an API contract violation (7PK - API Abuse).