Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-455 (初始化失效后的不存在变量) — Vulnerability Class 1

1 vulnerabilities classified as CWE-455 (初始化失效后的不存在变量). AI Chinese analysis included.

CWE-455 is a logic error where software fails to terminate or adjust its behavior upon encountering critical initialization failures, such as corrupted configuration files or unavailable hardware security modules. Attackers exploit this by inducing these errors to force the application into a degraded, insecure state that bypasses intended security controls. For instance, if a system cannot load encryption keys, it might continue running with default or null credentials instead of shutting down. Developers prevent this by implementing robust error handling routines that strictly enforce termination or safe fallback modes when security-critical components fail to initialize. By ensuring that any deviation from expected secure initialization results in an immediate halt, organizations maintain the integrity of their security posture and prevent unauthorized access through compromised operational states.

MITRE CWE Description
The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator.
Common Consequences (1)
Integrity, OtherModify Application Data, Alter Execution Logic
The application could be placed in an insecure state that may allow an attacker to modify sensitive data or allow unintended logic to be executed.
Mitigations (1)
ImplementationFollow the principle of failing securely when an error occurs. The system should enter a state where it is not vulnerable and will not display sensitive error messages to a potential attacker.
Examples (1)
The following code intends to limit certain operations to the administrator only.
$username = GetCurrentUser(); $state = GetStateData($username); if (defined($state)) { $uid = ExtractUserID($state); } # do stuff if ($uid == 0) { DoAdminThings(); }
Bad · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2022-4662 Linux kernel 安全漏洞 — Kernel 5.5 -2022-12-22

Vulnerabilities classified as CWE-455 (初始化失效后的不存在变量) represent 1 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.