{"@ID": "1250", "@Name": "Improper Preservation of Consistency Between Independent Representations of Shared State", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other.", "Extended_Description": {"xhtml:p": ["In highly distributed environments, or on systems with distinct physical components that operate independently, there is often a need for each component to store and update its own local copy of key data such as state or cache, so that all components have the same \"view\" of the overall system and operate in a coordinated fashion.  For example, users of a social media service or a massively multiplayer online game might be using their own personal computers while also interacting with different physical hosts in a globally distributed service, but all participants must be able to have the same \"view\" of the world.  Alternately, a processor's Memory Management Unit (MMU) might have \"shadow\" MMUs to distribute its workload, and all shadow MMUs are expected to have the same accessible ranges of memory.", "In such environments, it becomes critical for\n\t\tthe product to ensure that this \"shared state\" is\n\t\tconsistently modified across all distributed systems.\n\t\tIf state is not consistently maintained across all\n\t\tsystems, then critical transactions might take place\n\t\tout of order, or some users might not get the same\n\t\tdata as other users.  When this inconsistency affects\n\t\tcorrectness of operations, it can introduce\n\t\tvulnerabilities in mechanisms that depend on\n\t\tconsistent state."]}, "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "664", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": [{"Ordinality": "Primary"}, {"Ordinality": "Resultant"}]}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Operating_System": {"@Class": "Not OS-Specific", "@Prevalence": "Undetermined"}, "Architecture": {"@Class": "Not Architecture-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Class": "Cloud Computing", "@Prevalence": "Undetermined"}, {"@Name": "Security Hardware", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Implementation"}, {"Phase": "Architecture and Design"}]}, "Common_Consequences": {"Consequence": {"Scope": "Other", "Impact": "Unexpected State", "Note": "One or more of the components/sub-systems could\n\t\tassume that the state is different than it actually\n\t\tis."}}, "Demonstrative_Examples": {"Demonstrative_Example": {"@Demonstrative_Example_ID": "DX-132", "Intro_Text": "Suppose a processor's Memory Management Unit (MMU) has 5 other shadow MMUs to distribute its workload for its various cores. Each MMU has the start address and end address of \"accessible\" memory. Any time this accessible range changes (as per the processor's boot status), the main MMU sends an update message to all the shadow MMUs.", "Body_Text": "Suppose the interconnect fabric does not prioritize such \"update\" packets over other general traffic packets. This introduces a race condition. If an attacker can flood the target with enough messages so that some of those attack packets reach the target before the new access ranges gets updated, then the attacker can leverage this scenario."}}, "References": {"Reference": {"@External_Reference_ID": "REF-1069"}}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Research Gap", "#text": "Issues related to state and cache - creation,\n\t\tpreservation, and update - are a significant gap in\n\t\tCWE that is expected to be addressed in future\n\t\tversions.  It likely has relationships to concurrency\n\t\tand synchronization, incorrect behavior order, and\n\t\tother areas that already have some coverage in CWE,\n\t\talthough the focus has typically been on independent\n\t\tprocesses on the same operating system - not on\n\t\tindependent systems that are all a part of a larger\n\t\tsystem-of-systems."}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2020-02-13", "Submission_Version": "4.0", "Submission_ReleaseDate": "2020-02-24"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-06-25", "Modification_Version": "4.1", "Modification_ReleaseDate": "2020-06-25", "Modification_Comment": "updated Applicable_Platforms"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-04-28", "Modification_Version": "4.7", "Modification_ReleaseDate": "2022-04-28", "Modification_Comment": "updated Applicable_Platforms"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-06-28", "Modification_Version": "4.8", "Modification_ReleaseDate": "2022-06-28", "Modification_Comment": "updated Applicable_Platforms"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Common_Consequences, Time_of_Introduction, Weakness_Ordinalities"}]}}
