CWE-837 对单一独特动作的实施不恰当
Improper Enforcement of a Single, Unique Action
结构: Simple
Abstraction: Base
状态: Incomplete
被利用可能性: unkown
基本描述
The software requires that an actor should only be able to perform an action once, or to have only one unique action, but the software does not enforce or improperly enforces this restriction.
扩展描述
In various applications, a user is only expected to perform a certain action once, such as voting, requesting a refund, or making a purchase. When this restriction is not enforced, sometimes this can have security implications. For example, in a voting application, an attacker could attempt to "stuff the ballot box" by voting multiple times. If these votes are counted separately, then the attacker could directly affect who wins the vote. This could have significant business impact depending on the purpose of the software.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 799 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 799 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Other | An attacker might be able to gain advantage over other users by performing the action multiple times, or affect the correctness of the software. |
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2008-0294 | Ticket-booking web application allows a user to lock a seat more than once. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0294 |
| CVE-2005-4051 | CMS allows people to rate downloads by voting more than once. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4051 |
| CVE-2002-216 | Polling software allows people to vote more than once by setting a cookie. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-216 |
| CVE-2003-1433 | Chain: lack of validation of a challenge key in a game allows a player to register multiple times and lock other players out of the game. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1433 |
| CVE-2002-1018 | Library feature allows attackers to check out the same e-book multiple times, preventing other users from accessing copies of the e-book. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1018 |
| CVE-2009-2346 | Protocol implementation allows remote attackers to cause a denial of service (call-number exhaustion) by initiating many message exchanges. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2346 |