CWE-453: Insecure Default Variable Initialization

Export to Word

Description

The product, by default, initializes an internal variable with an insecure or less secure value than is possible.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2022-36349

insecure default variable initialization in BIOS firmware for a hardware board allows DoS

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Modify Application Data — Notes: An attacker could gain access to and modify sensitive data or system information.

Potential Mitigations

System Configuration: Disable or change default settings when they can be used to abuse the system. Since those default settings are shipped with the product they are likely to be known by a potential attacker who is familiar with the product. For instance, default credentials should be changed or the associated accounts should be disabled. (N/A)

Applicable Platforms

PHP (N/A, Sometimes)
None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: This code attempts to login a user using credentials from a POST request:

Body: Because the $authorized variable is never initialized, PHP will automatically set $authorized to any value included in the POST request if register_globals is enabled. An attacker can send a POST request with an unexpected third value 'authorized' set to 'true' and gain authorized status without supplying valid credentials.

// $user and $pass automatically set from POST request if (login_user($user,$pass)) { $authorized = true; } ... if ($authorized) { generatePage(); }

Notes

Maintenance: This overlaps other categories, probably should be split into separate items.

← Back to CWE list