{"@ID": "675", "@Name": "Multiple Operations on Resource in Single-Operation Context", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product performs the same operation on a resource two or more times, when the operation should only be applied once.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "573", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "PeerOf", "@CWE_ID": "586", "@View_ID": "1000"}, {"@Nature": "PeerOf", "@CWE_ID": "102", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": [{"Ordinality": "Primary"}, {"Ordinality": "Resultant"}]}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation"}}, "Common_Consequences": {"Consequence": {"Scope": "Other", "Impact": "Other"}}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-149", "Intro_Text": "The following code shows a simple example of a double free vulnerability.", "Example_Code": {"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:br": [null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "#text": "free(ptr);"}, "#text": "char* ptr = (char*)malloc (SIZE);...if (abrt) {}...free(ptr);"}}, "Body_Text": ["Double free vulnerabilities have two common (and sometimes overlapping) causes:", {"xhtml:ul": {"xhtml:li": [{"xhtml:div": "Error conditions and other exceptional circumstances"}, {"xhtml:div": "Confusion over which part of the program is responsible for freeing the memory"}]}}, "Although some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once."]}, {"@Demonstrative_Example_ID": "DX-184", "Intro_Text": "This code binds a server socket to port 21, allowing the server to listen for traffic on that port.", "Example_Code": {"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null, null, null, null, null, null, null, null], "xhtml:i": "/*unlink the socket if already bound to avoid an error when bind() is called*/", "#text": "int server_sockfd;int server_len;struct sockaddr_in server_address;\n                 \n                 \n                 \n                 unlink(\"server_socket\");server_sockfd = socket(AF_INET, SOCK_STREAM, 0);\n                 server_address.sin_family = AF_INET;server_address.sin_port = 21;server_address.sin_addr.s_addr = htonl(INADDR_ANY);server_len = sizeof(struct sockaddr_in);\n               bind(server_sockfd, (struct sockaddr *) &s1, server_len);"}}, "#text": "void bind_socket(void) {}"}}, "Body_Text": "This code may result in two servers binding a socket to same port, thus receiving each other's traffic. This could be used by an attacker to steal packets meant for another process, such as a secure FTP server."}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2009-0935", "Description": "Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-0935"}, {"Reference": "CVE-2019-13351", "Description": "file descriptor double close can cause the wrong file to be associated with a file descriptor.", "Link": "https://www.cve.org/CVERecord?id=CVE-2019-13351"}, {"Reference": "CVE-2004-1939", "Description": "XSS protection mechanism attempts to remove \"/\" that could be used to close tags, but it can be bypassed using double encoded slashes (%252F)", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-1939"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review", "Rationale": "This CWE entry is a Class and might have Base-level children that would be more appropriate", "Comments": "Examine children of this entry to see if there is a better fit", "Reasons": {"Reason": {"@Type": "Abstraction"}}}, "Notes": {"Note": {"@Type": "Relationship", "#text": "This weakness is probably closely associated with other issues related to doubling, such as CWE-462 (duplicate key in alist) or CWE-102 (Struts duplicate validation forms). It's usually a case of an API contract violation (CWE-227)."}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2008-04-11", "Submission_Version": "Draft 9", "Submission_ReleaseDate": "2008-04-11"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-11-24", "Modification_Version": "1.1", "Modification_ReleaseDate": "2008-11-25", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-10-29", "Modification_Version": "1.6", "Modification_ReleaseDate": "2009-10-29", "Modification_Comment": "updated Other_Notes, Relationship_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-09-13", "Modification_Version": "2.1", "Modification_ReleaseDate": "2011-09-13", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-01-19", "Modification_Version": "2.10", "Modification_ReleaseDate": "2017-01-19", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Relationships, Relevant_Properties, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Name, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Weakness_Ordinalities"}], "Previous_Entry_Name": {"@Date": "2021-10-28", "#text": "Duplicate Operations on Resource"}}}
