logo

CWE-665 - Improper Initialization

CWE-665 Medium

  • Abstraction:
  • Class
  • Structure:
  • Simple
  • Status:
  • Draft
Weakness Name

Improper Initialization

Description

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not.

Common Consequences

Scope: Confidentiality

Impact: Read Memory, Read Application Data

Notes: When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.

Scope: Access Control

Impact: Bypass Protection Mechanism

Notes: If security-critical decisions rely on a variable having a "0" or equivalent value, and the programming language performs this initialization on behalf of the programmer, then a bypass of security may occur.

Scope: Availability

Impact: DoS: Crash, Exit, or Restart

Notes: The uninitialized data may contain values that cause program flow to change in ways that the programmer did not intend. For example, if an uninitialized variable is used as an array index in C, then its previous contents may produce an index that is outside the range of the array, possibly causing a crash or an exit in other environments.

Related Weaknesses
CWE-664
  • Release Date:
  • 2008-04-11
  • Latest Modification Date:
  • 2024-02-29