CWE-909
Missing Initialization of Resource
Moyen
Incomplete
2013-02-21
00h00 +00:00
00h00 +00:00
2023-10-26
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Missing Initialization of Resource
The product does not initialize a critical resource.
Description du CWE
Many resources require initialization before they can be properly used. If a resource is not initialized, it could contain unpredictable or expired data, or it could be initialized to defaults that are invalid. This can have security implications when the resource is expected to have certain properties or values.
Informations générales
Modes d'introduction
ImplementationPlateformes applicables
Langue
Class: Not Language-Specific (Undetermined)Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Confidentiality | Read Memory, Read Application Data Note: When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party. | |
| Availability | DoS: Crash, Exit, or Restart Note: The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend. |
Exemples observés
| Références | Description |
|---|---|
CVE-2020-20739 | A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage |
CVE-2005-1036 | Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap |
Mesures d’atténuation potentielles
Phases : ImplementationExplicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.
Phases : Implementation
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Phases : Implementation
Avoid race conditions (CWE-362) during initialization routines.
Phases : Build and Compilation
Run or compile your product with settings that generate warnings about uninitialized variables or data.
Notes de cartographie des vulnérabilités
Justification : This CWE entry is a Class and might have Base-level children that would be more appropriateCommentaire : Examine children of this entry to see if there is a better fit
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | 2.4 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Observed_Examples | |
| CWE Content Team | MITRE | updated Description, Potential_Mitigations, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Mapping_Notes, Type |
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.