CWE-665 - Improper Initialization
CWE-665 Medium
- Abstraction:
- Class
- Structure:
- Simple
- Status:
- Draft
- Weakness Name
Improper Initialization
- Description
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not.
- Common Consequences
Scope: Confidentiality
Impact: Read Memory, Read Application Data
Notes: When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
Scope: Access Control
Impact: Bypass Protection Mechanism
Notes: If security-critical decisions rely on a variable having a "0" or equivalent value, and the programming language performs this initialization on behalf of the programmer, then a bypass of security may occur.
Scope: Availability
Impact: DoS: Crash, Exit, or Restart
Notes: The uninitialized data may contain values that cause program flow to change in ways that the programmer did not intend. For example, if an uninitialized variable is used as an array index in C, then its previous contents may produce an index that is outside the range of the array, possibly causing a crash or an exit in other environments.
- Related Weaknesses
- Release Date:
- 2008-04-11
- Latest Modification Date:
- 2024-02-29
Free security scan for your website