Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-454 (可信任变量或数据存储的外部初始化) — Vulnerability Class 2

2 vulnerabilities classified as CWE-454 (可信任变量或数据存储的外部初始化). AI Chinese analysis included.

CWE-454 represents a critical input validation weakness where software initializes sensitive internal variables or data stores using untrusted external inputs. This flaw typically arises when applications accept configuration data, environment variables, or user-supplied parameters to set security-critical states without sufficient verification. Attackers exploit this by manipulating these external sources to alter application behavior, potentially bypassing authentication mechanisms, escalating privileges, or causing denial of service. To mitigate this risk, developers must enforce strict input validation and sanitization for all external data before it influences internal state. Implementing allow-lists, enforcing type checks, and isolating trusted initialization logic from untrusted sources are essential practices. Additionally, adopting the principle of least privilege ensures that even if initialization is compromised, the potential impact on system integrity remains contained and minimal.

MITRE CWE Description
The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors. A product system should be reluctant to trust variables that have been initialized outside of its trust boundary, especially if they are initialized by users. The variables may have been initialized incorrectly. If an attacker can initialize the variable, then they can influence what the vulnerable system will do.
Common Consequences (1)
IntegrityModify Application Data
An attacker could gain access to and modify sensitive data or system information.
Mitigations (2)
ImplementationA product system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking (e.g. input validation) is performed when relying on input from outside a trust boundary.
Architecture and DesignAvoid any external control of variables. If necessary, restrict the variables that can be modified using an allowlist, and use a different namespace or naming convention if possible.
Examples (2)
In the Java example below, a system property controls the debug level of the application.
int debugLevel = Integer.getInteger("com.domain.application.debugLevel").intValue();
Bad · Java
This code checks the HTTP POST request for a debug switch, and enables a debug mode if the switch is set.
$debugEnabled = false; if ($_POST["debug"] == "true"){ $debugEnabled = true; } /.../ function login($username, $password){ if($debugEnabled){ echo 'Debug Activated'; phpinfo(); $isAdmin = True; return True; } }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-26148 Microsoft Azure AD SSH Login extension for Linux Elevation of Privilege Vulnerability — Microsoft Azure AD SSH Login extension for Linux 8.1 High2026-03-10
CVE-2025-36244 IBM AIX privilege escalation — AIX 7.4 High2025-09-16

Vulnerabilities classified as CWE-454 (可信任变量或数据存储的外部初始化) represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.