Time-of-check Time-of-use (TOCTOU) Race Condition

2024-07-1808:55:19

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

apache streampipes

toctou

vulnerability

user registration

synchronization

email address

user management

race condition

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

6.9

Confidence

High

EPSS

Percentile

10.7%

JSON

Apache streampipes is vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. The vulnerability arises from insufficient synchronization during user registration, allowing multiple simultaneous requests to check and register a user using the same email address. Attackers exploit this by creating multiple identical user accounts before the email address is officially registered, leading to corruption in user management.