CVEbaza.plCWE DictionaryCWE-412
Common Weakness Enumeration

CWE-412

Unrestricted Externally Accessible Lock

Category: BaseCVE: 5
Description

The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.

Extended Description

This prevents the product from acting on associated resources or performing other behaviors that are controlled by the presence of the lock. Relevant locks might include an exclusive lock or mutex, or modifying a shared resource that is treated as a lock. If the lock can be held for an indefinite period of time, then the denial of service could be permanent.

CVE vulnerabilities with CWE-412 (5)
9.8
CVSS
CRITICAL
CVE-2019-18269

Omron’s CS and CJ series PLCs have an unrestricted externally accessible lock vulnerability.

pub. 2019-12-16
7.5
CVSS
HIGH
CVE-2023-38505

DietPi-Dashboard is a web dashboard for the operating system DietPi. The dashboard only allows for one TLS handshake to be in process at a given moment. Once a TCP connection is established in HTTPS mode, it will assume that it should be waiting for a handshake, and will stay this way indefinitely until a handshake starts or some error occurs. In version 0.6.1, this can be exploited by simply not starting the handshake, preventing any other TLS handshakes from getting through. An attacker can lock the dashboard in a state where it is waiting for a TLS handshake from the attacker, who won't provide it. This prevents any legitimate traffic from getting to the dashboard, and can last indefinitely. Version 0.6.2 has a patch for this issue. As a workaround, do not use HTTPS mode on the open internet where anyone can connect. Instead, put a reverse proxy in front of the dashboard, and have it handle any HTTPS connections.

pub. 2023-07-27
7.5
CVSS
HIGH
CVE-2023-22318

Denial of service in Webconf in Tribe29 Checkmk Appliance before 1.6.5.

pub. 2023-05-15
7.1
CVSS
HIGH
CVE-2026-25612

The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks.

pub. 2026-02-10
3.3
CVSS
LOW
CVE-2019-11485

Sander Bos discovered Apport's lock file was in a world-writable directory which allowed all users to prevent crash handling.

pub. 2020-02-08
Information
ID: CWE-412
Type: Base
Vulnerabilities: 5
MITRE CWE ↗
← CWE Dictionary