Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-665 (初始化不恰当) — Vulnerability Class 81

81 vulnerabilities classified as CWE-665 (初始化不恰当). AI Chinese analysis included.

CWE-665 represents a critical initialization weakness where software fails to properly set up a resource, leaving it in an unpredictable state upon access. This flaw is typically exploited when attackers leverage uninitialized variables, such as authentication flags or memory buffers, to bypass security controls or trigger undefined behavior. For instance, an uninitialized boolean flag might default to a permissive value, allowing unauthorized access without valid credentials. To mitigate this risk, developers must enforce strict initialization practices, ensuring all variables and resources are explicitly assigned safe default values before use. Implementing compiler warnings for uninitialized variables, conducting thorough code reviews, and adopting secure coding standards like OWASP guidelines further reduce the likelihood of this vulnerability. By guaranteeing that every resource starts in a known, secure state, organizations can prevent attackers from manipulating unexpected conditions to compromise system integrity.

MITRE CWE Description
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not.
Common Consequences (3)
ConfidentialityRead Memory, Read Application Data
When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
Access ControlBypass Protection Mechanism
If security-critical decisions rely on a variable having a "0" or equivalent value, and the programming language performs this initialization on behalf of the programmer, then a bypass of security may occur.
AvailabilityDoS: Crash, Exit, or Restart
The uninitialized data may contain values that cause program flow to change in ways that the programmer did not intend. For example, if an uninitialized variable is used as an array index in C, then its previous contents may produce an index that is outside the range of the array, possibly causing a…
Mitigations (5)
RequirementsUse a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initializat…
Architecture and DesignIdentify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
ImplementationExplicitly initialize all your variables and other data stores, either during declaration or just before the first usage.
ImplementationPay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.
ImplementationAvoid race conditions (CWE-362) during initialization routines.
Examples (2)
Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.
private boolean initialized = true; public void someMethod() { if (!initialized) { // perform initialization tasks ... initialized = true; }
Bad · Java
The following code intends to limit certain operations to the administrator only.
$username = GetCurrentUser(); $state = GetStateData($username); if (defined($state)) { $uid = ExtractUserID($state); } # do stuff if ($uid == 0) { DoAdminThings(); }
Bad · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2021-29614 Interpreter crash from `tf.io.decode_raw` — tensorflow 7.1 High2021-05-14
CVE-2020-35508 Linux kernel 安全漏洞 — kernel 5.8 -2021-03-26
CVE-2019-10196 Nathan Rajlich node-http-proxy-agent 安全漏洞 — nodejs-http-proxy-agent 9.1 -2021-03-19
CVE-2020-8918 TPM 1.2 key authorization values are vulnerable to a TPM transport eavesdropper — google/go-tpm library 6.3 Medium2020-08-11
CVE-2020-14347 X.Org X Server 信息泄露漏洞 — xorg-x11-server 5.5 Medium2020-08-05
CVE-2020-4067 Improper Initialization in coturn — coturn 7.0 High2020-06-29
CVE-2020-10725 DPDK 安全漏洞 — dpdk 7.7 High2020-05-20
CVE-2019-15681 LibVNCServer 安全漏洞 — LibVNC 7.5 -2019-10-29
CVE-2019-1840 Cisco Prime Network Registrar Denial of Service Vulnerability — Cisco Prime Network Registrar 7.5 -2019-04-18
CVE-2019-1761 Cisco IOS and IOS XE Software Hot Standby Router Protocol Information Leak Vulnerability — Cisco IOS and IOS XE Software 6.5 -2019-03-28
CVE-2019-8277 UltraVNC 资源管理错误漏洞 — UltraVNC 7.5 -2019-03-09
CVE-2019-8259 UltraVNC 资源管理错误漏洞 — UltraVNC 7.5 -2019-03-05
CVE-2018-14647 Python 资源管理错误漏洞 — Python 6.2 -2018-09-25
CVE-2018-10915 PostgreSQL SQL注入漏洞 — postgresql 7.5 -2018-08-09
CVE-2018-14282 Foxit Reader和PhantomPDF 安全漏洞 — Foxit Reader 8.8 -2018-07-31
CVE-2018-10901 Linux kernel 权限许可和访问控制问题漏洞 — kernel: 7.8 -2018-07-26
CVE-2018-10484 Foxit Reader 安全漏洞 — Foxit Reader 8.8 -2018-05-17
CVE-2018-1174 Foxit Reader 信息泄露漏洞 — Foxit Reader 6.5 -2018-05-17
CVE-2018-1175 Foxit Reader 信息泄露漏洞 — Foxit Reader 6.5 -2018-05-17
CVE-2018-1118 Linux kernel 信息泄露漏洞 — vhost 5.5 -2018-05-10
CVE-2016-9594 Haxx curl 安全漏洞 — curl 8.1 -2018-04-23

Vulnerabilities classified as CWE-665 (初始化不恰当) represent 81 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.