cwe-820-unsynchronized-access - SKILL.md Agent Skill

name: cwe-820-unsynchronized-access description: Use this skill when you need to remediate CWE-820 (Missing Synchronization) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing missing synchronization issues. version: 1.0.0 license: MIT tags:

security
java
cwe-820
remediation
sast

CWE-820 Missing Synchronization

Description

Missing Synchronization

Reference: https://cwe.mitre.org/data/definitions/820.html

OWASP Category: A04:2021 – Insecure Design

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Unsynchronized access to shared state
public class Counter {
    private int count = 0;  // Shared mutable state!

    public void increment() {
        count++;  // Not atomic - race condition!
    }

    public int getCount() {
        return count;
    }
}

// VULNERABLE: Non-thread-safe collection
private Map<String, Session> sessions = new HashMap<>();  // Not thread-safe!

public void addSession(String id, Session session) {
    sessions.put(id, session);  // Concurrent modification risk!
}

Why it's vulnerable: This pattern is vulnerable to Missing Synchronization

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Use AtomicInteger for counters
public class Counter {
    private final AtomicInteger count = new AtomicInteger(0);

    public void increment() {
        count.incrementAndGet();  // Atomic operation
    }

    public int getCount() {
        return count.get();
    }
}

// SECURE: Use ConcurrentHashMap for shared maps
private final Map<String, Session> sessions = new ConcurrentHashMap<>();

public void addSession(String id, Session session) {
    sessions.put(id, session);  // Thread-safe
}

// SECURE: Use synchronized for complex operations
public class Account {
    private BigDecimal balance;
    private final Object lock = new Object();

    public void transfer(Account target, BigDecimal amount) {
        // Lock ordering to prevent deadlock
        Object first = System.identityHashCode(this) < System.identityHashCode(target)
            ? this.lock : target.lock;
        Object second = first == this.lock ? target.lock : this.lock;

        synchronized (first) {
            synchronized (second) {
                this.balance = this.balance.subtract(amount);
                target.balance = target.balance.add(amount);
            }
        }
    }
}

Why it's secure: Implements proper protection against Missing Synchronization

Detection Pattern

Look for these patterns in your codebase:

# Find unsynchronized shared fields
grep -rn "private.*Map.*=.*new HashMap\\|private int.*=" --include="*.java"

Remediation Steps

Use AtomicInteger/AtomicLong for counters
Use ConcurrentHashMap instead of HashMap
Use Collections.synchronizedMap() if needed
Add synchronized blocks for compound operations

Key Imports


import java.util.concurrent.atomic.AtomicInteger;

import java.util.concurrent.ConcurrentHashMap;

Verification

After remediation:

Run SAST scanner to confirm vulnerability is resolved
Review all instances of the vulnerable pattern
Add unit tests that verify the secure implementation
Check for similar patterns in related code

Trigger Examples

Fix CWE-820 vulnerability
Resolve Missing Synchronization issue
Secure this Java code against missing synchronization
SAST reports CWE-820

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

CWE-820: Missing Synchronization

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07