Insecure API Access: Time-of-Check to Time-of-Use Vulnerability
Description
The software checks the state of a resource before using it, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.
Examples
Insecure Code
c
if (access("/path/to/file", R_OK) == 0) { /* use the file */ }Secure Code
c
if ((fd = open("/path/to/file", O_RDONLY)) != -1) { /* use the file */ }Remediation
Use a secure method to check and use the resource in a single, atomic operation to prevent time-of-check to time-of-use vulnerabilities.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0765 |
| Category | InsecureConfig |
| Severity | MEDIUM |
| CWE | CWE-367 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | Time-of-Check to Time-of-Use, TOCTOU |
| OWASP | N/A |