Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1188 (不安全的默认资源初始化) — Vulnerability Class 93

93 vulnerabilities classified as CWE-1188 (不安全的默认资源初始化). AI Chinese analysis included.

CWE-1188 represents an initialization weakness where a software component establishes a resource using a default configuration that lacks adequate security controls. This flaw typically arises when developers prioritize rapid deployment or ease of use over robust security hygiene, leaving critical settings such as passwords, encryption keys, or access permissions in a vulnerable state. Attackers exploit this by identifying these predictable, insecure defaults to gain unauthorized access, escalate privileges, or exfiltrate sensitive data without needing to bypass complex authentication mechanisms. To mitigate this risk, developers must enforce the principle of least privilege by generating strong, random credentials during installation or runtime. Furthermore, implementing mandatory configuration checks that prevent the application from operating with insecure defaults ensures that administrators are compelled to secure the environment before the system becomes accessible to potential threats.

MITRE CWE Description
The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Common Consequences (1)
OtherVaries by Context
The impact of insecure defaults varies widely depending on the functionality that the product controls.
Examples (1)
This code attempts to login a user using credentials from a POST request:
// $user and $pass automatically set from POST request if (login_user($user,$pass)) { $authorized = true; } ... if ($authorized) { generatePage(); }
Bad · PHP
$user = $_POST['user']; $pass = $_POST['pass']; $authorized = false; if (login_user($user,$pass)) { $authorized = true; } ...
Good · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2024-5801 IP Forwarding enabled in B&R Automation Runtime — Automation Runtime 7.5AIHighAI2024-08-10
CVE-2024-34063 Degraded secret zeroization capabilities in vodozemac — vodozemac 2.5 Low2024-05-03
CVE-2024-32114 Apache ActiveMQ: Jolokia and REST API were not secured with default configuration — Apache ActiveMQ 8.5 High2024-05-02
CVE-2024-2912 Insecure Deserialization Leading to RCE in bentoml/bentoml — bentoml/bentoml 10.0 Critical2024-04-16
CVE-2024-0387 EDS-4000/G4000 Series IP Forwarding Vulnerability — EDS-4008 Series 6.5 Medium2024-02-26
CVE-2024-26267 Liferay Portal和Liferay DXP 安全漏洞 — Portal 5.3 Medium2024-02-20
CVE-2024-25610 Liferay Portal和Liferay DXP 安全漏洞 — Portal 9.0 Critical2024-02-20
CVE-2024-22388 Insecure Default Initialization of Resource in HID Global — iCLASS SE CP1000 Encoder 5.9 Medium2024-02-06
CVE-2024-22207 Default swagger-ui configuration exposes all files in the module — fastify-swagger-ui 5.3 Medium2024-01-15
CVE-2023-6448 Unitronics VisiLogic uses a default administrative password — VisiLogic 9.8 Critical2023-12-05
CVE-2023-5368 msdosfs data disclosure — FreeBSD 3.3 -2023-10-04
CVE-2023-40708 Improper Access Control in OPTO 22 SNAP PAC S1 — SNAP PAC S1 5.8 Medium2023-08-24
CVE-2023-3453 ETIC Telecom Insecure Default Initialization of Resource — Remote Access Server (RAS) 7.1 High2023-08-23
CVE-2023-33949 Liferay Portal和Liferay DXP 安全漏洞 — Portal 5.3 Medium2023-05-24
CVE-2023-31101 Apache InLong: Users who joined later can see the data of deleted users — Apache InLong 5.3 -2023-05-22
CVE-2023-27524 Apache Superset: Session validation vulnerability when using provided default SECRET_KEY — Apache Superset 8.9 High2023-04-24
CVE-2023-28978 Junos OS Evolved: Read access to some confidential user information is possible — Junos OS Evolved 5.3 Medium2023-04-17
CVE-2022-48432 JetBrains IntelliJ IDEA 安全漏洞 — IntelliJ IDEA 5.2 Medium2023-03-29
CVE-2022-4224 CODESYS: Exposure of Resource to Wrong Sphere in CODESYS V3 — Control RTE (SL) 8.8 High2023-03-23
CVE-2022-48342 JetBrains TeamCity 安全漏洞 — TeamCity 5.2 Medium2023-02-23
CVE-2022-2196 Speculative execution attacks in KVM VMX — Linux Kernel 5.8 Medium2023-01-09
CVE-2022-41648 HEIDENHAIN TNC 640 授权问题漏洞 — HEIDENHAIN Controller TNC 640 NC Software 9.8 -2022-10-28
CVE-2022-42467 h2 webconsole (available only in prototype mode) should nevertheless be disabled by default. — Apache Isis 7.5 -2022-10-19
CVE-2022-1278 WildFly 安全漏洞 — WildFly 7.5 -2022-09-13
CVE-2022-32480 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 4.3 Medium2022-08-22
CVE-2021-3586 Red Hat OpenShift Service Mesh 安全特征问题漏洞 — servicemesh-operator 8.8 -2022-08-22
CVE-2022-31806 Insecure default settings in CODESYS Runtime Toolkit 32 bit full and CODESYS PLCWinNT — CODESYS PLCWinNT 9.8 Critical2022-06-24
CVE-2022-24287 Siemens SIMATIC 安全漏洞 — SIMATIC PCS 7 V8.2 7.8 High2022-05-10
CVE-2022-24706 Remote Code Execution Vulnerability in Packaging — Apache CouchDB 9.8 -2022-04-26
CVE-2021-41192 Insecure default configuration — redash 8.1 High2021-11-23

Vulnerabilities classified as CWE-1188 (不安全的默认资源初始化) represent 93 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.