CWE-1419: Incorrect Initialization of Resource
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.
常见后果
影响范围: Confidentiality
技术影响: Read Memory Read Application Data Unexpected State
影响范围: Authorization Integrity
技术影响: Gain Privileges or Assume Identity
影响范围: Other
技术影响: Varies by Context
说明: The technical impact can vary widely based on how the resource is used in the product, and whether its contents affect security decisions.
潜在缓解措施
阶段: Implementation
描述: Choose the safest-possible initialization for security-related resources.
阶段: Implementation
描述: Ensure that each resource (whether variable, memory buffer, register, etc.) is fully initialized.
阶段: Implementation
描述: Pay close attention to complex conditionals or reset sources that affect initialization, since some paths might not perform the initialization.
阶段: Architecture and Design
描述: Ensure that the design and architecture clearly identify what the initialization should be, and that the initialization does not have security implications.
观察示例
参考: CVE-2020-27211
Chain: microcontroller system-on-chip uses a register value stored in flash to set product protection state on the memory bus and does not contain protection against fault injection (CWE-1319) which leads to an incorrect initialization of the memory bus (CWE-1419) causing the product to be in an unprotected state.
参考: CVE-2023-25815
chain: a change in an underlying package causes the gettext function to use implicit initialization with a hard-coded path (CWE-1419) under the user-writable C:\ drive, introducing an untrusted search path element (CWE-427) that enables spoofing of messages.
参考: CVE-2022-43468
WordPress module sets internal variables based on external inputs, allowing false reporting of the number of views
参考: CVE-2022-36349
insecure default variable initialization in BIOS firmware for a hardware board allows DoS
参考: CVE-2015-7763
distributed filesystem only initializes part of the variable-length padding for a packet, allowing attackers to read sensitive information from previously-sent packets in the same memory location
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
| Manufacturing | - |
| Installation | - |
| System Configuration | - |
| Operation | - |