A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.
When a new process is forked or executed, the child process inherits any open file descriptors. When the child process has fewer privileges than the parent process, this might introduce a vulnerability if the child process can access the file descriptor but does not have the privileges to access the associated file.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CVE-2003-0740Server leaks a privileged file descriptor, allowing the server to be hijacked.
CVE-2004-1033File descriptor leak allows read of restricted files.
CVE-2000-0094Access to restricted resource using modified file descriptor for stderr.
CVE-2002-0638Open file descriptor used as alternate channel in complex race condition.
CVE-2003-0489Program does not fully drop privileges after creating a file descriptor, which allows access to the descriptor via a separate vulnerability.