Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-453 (不安全的缺省变量初始化) — Vulnerability Class 14

14 vulnerabilities classified as CWE-453 (不安全的缺省变量初始化). AI Chinese analysis included.

CWE-453 represents a critical configuration weakness where software initializes internal variables with insecure or suboptimal values by default, rather than using the most secure options available. This flaw typically allows attackers to exploit predictable states, leading to unauthorized access, data leakage, or privilege escalation if the default setting fails to enforce necessary security controls. For instance, initializing a session token with a known value or leaving encryption keys unset can compromise system integrity. Developers mitigate this risk by rigorously auditing initialization routines, ensuring that all variables are set to secure, non-default values during deployment. Implementing secure-by-design principles, such as requiring explicit configuration for sensitive parameters and validating defaults against security baselines, prevents these vulnerabilities from being introduced into the production environment.

MITRE CWE Description
The product, by default, initializes an internal variable with an insecure or less secure value than is possible.
Common Consequences (1)
IntegrityModify Application Data
An attacker could gain access to and modify sensitive data or system information.
Mitigations (1)
System ConfigurationDisable or change default settings when they can be used to abuse the system. Since those default settings are shipped with the product they are likely to be known by a potential attacker who is familiar with the product. For instance, default credentials should be changed or the associated accounts should be disabled.
Examples (1)
This code attempts to login a user using credentials from a POST request:
// $user and $pass automatically set from POST request if (login_user($user,$pass)) { $authorized = true; } ... if ($authorized) { generatePage(); }
Bad · PHP
$user = $_POST['user']; $pass = $_POST['pass']; $authorized = false; if (login_user($user,$pass)) { $authorized = true; } ...
Good · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-41330 OpenClaw < 2026.3.31 - Environment Variable Override via Host Exec Policy — OpenClaw 4.4 Medium2026-04-20
CVE-2025-61926 Allstar Reviewbot has Authentication Bypass via Hard-coded Webhook Secret — allstar 8.1AIHighAI2025-10-09
CVE-2025-47945 Donetick Has Weak Default JWT Secret — donetick 9.1 Critical2025-05-17
CVE-2024-49120 Windows Remote Desktop Services Remote Code Execution Vulnerability — Windows Server 2019 8.1 High2024-12-10
CVE-2024-39916 NFS server misconfiguration allows file access outside the exported directory — fogproject 6.4 Medium2024-07-12
CVE-2024-21411 Skype for Consumer Remote Code Execution Vulnerability — Skype for Consumer 8.8 High2024-03-12
CVE-2023-27516 SoftEther VPN 安全漏洞 — SoftEther VPN 7.3 High2023-10-12
CVE-2022-47195 Ghost Foundation Ghost 跨站脚本漏洞 — Ghost 5.4 -2023-01-19
CVE-2022-47196 Ghost Foundation Ghost 安全漏洞 — Ghost 5.4 -2023-01-19
CVE-2022-47197 Ghost Foundation Ghost 跨站脚本漏洞 — Ghost 5.4 -2023-01-19
CVE-2022-47194 Ghost Foundation Ghost 安全漏洞 — Ghost 5.4 -2023-01-19
CVE-2022-46831 JetBrains TeamCity 安全漏洞 — TeamCity 6.6 Medium2022-12-08
CVE-2022-3262 Red Hat OpenShift 安全漏洞 — openshift 8.1 -2022-12-08
CVE-2021-27426 GE UR family insecure default variable initialization — UR family 9.8 Critical2022-03-23

Vulnerabilities classified as CWE-453 (不安全的缺省变量初始化) represent 14 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.