Skills
skills/developerscoffee/java-cwe-security-skills/cwe-820-unsynchronized-access

cwe-820-unsynchronized-access

SKILL.md

CWE-820 Missing Synchronization

Description

Missing Synchronization

Reference: https://cwe.mitre.org/data/definitions/820.html

OWASP Category: A04:2021 – Insecure Design

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Unsynchronized access to shared state
public class Counter {
    private int count = 0;  // Shared mutable state!

    public void increment() {
        count++;  // Not atomic - race condition!
    }

    public int getCount() {
        return count;
    }
}

// VULNERABLE: Non-thread-safe collection
private Map<String, Session> sessions = new HashMap<>();  // Not thread-safe!

public void addSession(String id, Session session) {
    sessions.put(id, session);  // Concurrent modification risk!
}

Why it's vulnerable: This pattern is vulnerable to Missing Synchronization

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Use AtomicInteger for counters
public class Counter {
    private final AtomicInteger count = new AtomicInteger(0);

    public void increment() {
        count.incrementAndGet();  // Atomic operation
    }

    public int getCount() {
        return count.get();
    }
}

// SECURE: Use ConcurrentHashMap for shared maps
private final Map<String, Session> sessions = new ConcurrentHashMap<>();

public void addSession(String id, Session session) {
    sessions.put(id, session);  // Thread-safe
}

// SECURE: Use synchronized for complex operations
public class Account {
    private BigDecimal balance;
    private final Object lock = new Object();

    public void transfer(Account target, BigDecimal amount) {
        // Lock ordering to prevent deadlock
        Object first = System.identityHashCode(this) < System.identityHashCode(target)
            ? this.lock : target.lock;
        Object second = first == this.lock ? target.lock : this.lock;

        synchronized (first) {
            synchronized (second) {
                this.balance = this.balance.subtract(amount);
                target.balance = target.balance.add(amount);
            }
        }
    }
}

Why it's secure: Implements proper protection against Missing Synchronization

Detection Pattern

Look for these patterns in your codebase:

# Find unsynchronized shared fields
grep -rn "private.*Map.*=.*new HashMap\\|private int.*=" --include="*.java"

Remediation Steps

  1. Use AtomicInteger/AtomicLong for counters

  2. Use ConcurrentHashMap instead of HashMap

  3. Use Collections.synchronizedMap() if needed

  4. Add synchronized blocks for compound operations

Key Imports


import java.util.concurrent.atomic.AtomicInteger;

import java.util.concurrent.ConcurrentHashMap;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-820 vulnerability
Resolve Missing Synchronization issue
Secure this Java code against missing synchronization
SAST reports CWE-820

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Weekly Installs
1
Repository
developerscoffe…y-skills
First Seen
10 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
mcpjam1
claude-code1
replit1
junie1
windsurf1
zencoder1