CWE-837 对单一独特动作的实施不恰当

Improper Enforcement of a Single, Unique Action

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: unkown

基本描述

The software requires that an actor should only be able to perform an action once, or to have only one unique action, but the software does not enforce or improperly enforces this restriction.

扩展描述

In various applications, a user is only expected to perform a certain action once, such as voting, requesting a refund, or making a purchase. When this restriction is not enforced, sometimes this can have security implications. For example, in a voting application, an attacker could attempt to "stuff the ballot box" by voting multiple times. If these votes are counted separately, then the attacker could directly affect who wins the vote. This could have significant business impact depending on the purpose of the software.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 799 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 799 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Other An attacker might be able to gain advantage over other users by performing the action multiple times, or affect the correctness of the software.

分析过的案例

标识 说明 链接
CVE-2008-0294 Ticket-booking web application allows a user to lock a seat more than once. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0294
CVE-2005-4051 CMS allows people to rate downloads by voting more than once. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4051
CVE-2002-216 Polling software allows people to vote more than once by setting a cookie. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-216
CVE-2003-1433 Chain: lack of validation of a challenge key in a game allows a player to register multiple times and lock other players out of the game. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1433
CVE-2002-1018 Library feature allows attackers to check out the same e-book multiple times, preventing other users from accessing copies of the e-book. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1018
CVE-2009-2346 Protocol implementation allows remote attackers to cause a denial of service (call-number exhaustion) by initiating many message exchanges. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2346