CWE-456: Missing Initialization of a Variable
View customized information:
For users who are interested in more notional aspects of a weakness. Example: educators, technical writers, and project/program managers.
For users who are concerned with the practical application and details about the nature of a weakness and how to prevent it from happening. Example: tool developers, security researchers, pen-testers, incident response analysts.
For users who are mapping an issue to CWE/CAPEC IDs, i.e., finding the most appropriate CWE for a specific issue (e.g., a CVE record). Example: tool developers, security researchers.
For users who wish to see all available information for the CWE/CAPEC entry.
For users who want to customize what details are displayed.
×
Edit Custom FilterThe product does not initialize critical variables, which causes the execution environment to use unexpected values.
This table specifies different individual consequences
associated with the weakness. The Scope identifies the application security area that is
violated, while the Impact describes the negative technical impact that arises if an
adversary succeeds in exploiting this weakness. The Likelihood provides information about
how likely the specific consequence is expected to be seen relative to the other
consequences in the list. For example, there may be high likelihood that a weakness will be
exploited to achieve a certain impact, but a low likelihood that it will be exploited to
achieve a different impact.
This table shows the weaknesses and high level categories that are related to this
weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to
similar items that may exist at higher and lower levels of abstraction. In addition,
relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user
may want to explore.
Relevant to the view "Research Concepts" (CWE-1000)
Relevant to the view "CISQ Quality Measures (2020)" (CWE-1305)
Relevant to the view "CISQ Data Protection Measures" (CWE-1340)
The different Modes of Introduction provide information
about how and when this
weakness may be introduced. The Phase identifies a point in the life cycle at which
introduction
may occur, while the Note provides a typical scenario related to introduction during the
given
phase.
This listing shows possible areas for which the given
weakness could appear. These
may be for specific named Languages, Operating Systems, Architectures, Paradigms,
Technologies,
or a class of such platforms. The platform is listed along with how frequently the given
weakness appears for that instance.
Languages Class: Not Language-Specific (Undetermined Prevalence) Example 1 This function attempts to extract a pair of numbers from a user-supplied string. (bad code)
Example Language: C
void parse_data(char *untrusted_input){
int m, n, error;
error = sscanf(untrusted_input, "%d:%d", &m, &n); if ( EOF == error ){ die("Did not specify integer value. Die evil hacker!\n"); }/* proceed assuming n and m are initialized correctly */ This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form: (attack code)
123:
then only the m variable will be initialized. Subsequent use of n may result in the use of an uninitialized variable (CWE-457). Example 2 Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown. (bad code)
Example Language: Java
private User user;
public void someMethod() { // Do something interesting. ... // Throws NPE if user hasn't been properly initialized. String username = user.getName(); Example 3 This code first authenticates a user, then allows a delete command if the user is an administrator. (bad code)
Example Language: PHP
if (authenticate($username,$password) && setAdmin($username)){
$isAdmin = true; }/.../ if ($isAdmin){ deleteUser($userToDelete); }The $isAdmin variable is set to true if the user is an admin, but is uninitialized otherwise. If PHP's register_globals feature is enabled, an attacker can set uninitialized variables like $isAdmin to arbitrary values, in this case gaining administrator privileges by setting $isAdmin to true. Example 4 In the following Java code the BankManager class uses the user variable of the class User to allow authorized users to perform bank manager tasks. The user variable is initialized within the method setUser that retrieves the User from the User database. The user is then authenticated as unauthorized user through the method authenticateUser. (bad code)
Example Language: Java
public class BankManager {
// user allowed to perform bank manager tasks private User user = null; private boolean isUserAuthentic = false; // constructor for BankManager class public BankManager() { ... }// retrieve user from database of users public User getUserFromUserDatabase(String username){ ... }// set user variable using username public void setUser(String username) { this.user = getUserFromUserDatabase(username); }// authenticate user public boolean authenticateUser(String username, String password) { if (username.equals(user.getUsername()) && password.equals(user.getPassword())) { }isUserAuthentic = true; }return isUserAuthentic; // methods for performing bank manager tasks ... However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code. (good code)
Example Language: Java
public class BankManager {
// user allowed to perform bank manager tasks private User user = null; private boolean isUserAuthentic = false; // constructor for BankManager class public BankManager(String username) { user = getUserFromUserDatabase(username); }// retrieve user from database of users public User getUserFromUserDatabase(String username) {...} // authenticate user public boolean authenticateUser(String username, String password) { if (user == null) {
System.out.println("Cannot find user " + username); }else { if (password.equals(user.getPassword())) { }isUserAuthentic = true; }return isUserAuthentic; // methods for performing bank manager tasks ... Example 5 This example will leave test_string in an unknown condition when i is the same value as err_val, because test_string is not initialized (CWE-456). Depending on where this code segment appears (e.g. within a function body), test_string might be random if it is stored on the heap or stack. If the variable is declared in static memory, it might be zero or NULL. Compiler optimization might contribute to the unpredictability of this address. (bad code)
Example Language: C
char *test_string;
if (i != err_val) { test_string = "Hello World!";
}printf("%s", test_string); When the printf() is reached, test_string might be an unexpected address, so the printf might print junk strings (CWE-457). To fix this code, there are a couple approaches to making sure that test_string has been properly set once it reaches the printf(). One solution would be to set test_string to an acceptable default before the conditional: (good code)
Example Language: C
char *test_string = "Done at the beginning";
if (i != err_val) { test_string = "Hello World!";
}printf("%s", test_string); Another solution is to ensure that each branch of the conditional - including the default/else branch - could ensure that test_string is set: (good code)
Example Language: C
char *test_string;
if (i != err_val) { test_string = "Hello World!";
}else { test_string = "Done on the other side!";
}printf("%s", test_string);
This MemberOf Relationships table shows additional CWE Categories and Views that
reference this weakness as a member. This information is often useful in understanding where a
weakness fits within the context of external information sources.
Relationship
This weakness is a major factor in a number of resultant weaknesses, especially in web applications that allow global variable initialization (such as PHP) with libraries that can be directly requested.
Research Gap
It is highly likely that a large number of resultant weaknesses have missing initialization as a primary factor, but researcher reports generally do not provide this level of detail.
More information is available — Please edit the custom filter or select a different filter. |
Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. |