CWE-456: Missing Initialization of a Variable

Causes

• This function attempts to extract a pair of numbers from a user-supplied string. This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form:,then only the m variable will be initialized. Subsequent use of n may result in the use of an uninitialized variable (CWE-457).
• Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown.
• This code first authenticates a user, then allows a delete command if the user is an administrator. The $isAdmin variable is set to true if the user is an admin, but is uninitialized otherwise. If PHP's register_globals feature is enabled, an attacker can set uninitialized variables like $isAdmin to arbitrary values, in this case gaining administrator privileges by setting $isAdmin to true.
• In the following Java code the BankManager class uses the user variable of the class User to allow authorized users to perform bank manager tasks. The user variable is initialized within the method setUser that retrieves the User from the User database. The user is then authenticated as unauthorized user through the method authenticateUser. However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code.
• This example will leave test_string in an unknown condition when i is the same value as err_val, because test_string is not initialized (CWE-456). Depending on where this code segment appears (e.g. within a function body), test_string might be random if it is stored on the heap or stack. If the variable is declared in static memory, it might be zero or NULL. Compiler optimization might contribute to the unpredictability of this address. [object Object],Another solution is to ensure that each branch of the conditional - including the default/else branch - could ensure that test_string is set:
• [object Object] [object Object],[object Object]

Remediation

• Implementation: Ensure that critical variables are initialized before first use [REF-1485].
• Requirements: Choose a language that is not susceptible to these issues.

Detection

• Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Related CWEs

• CWE-454: External Initialization of Trusted Variables or Data Stores
• CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
• CWE-457: Use of Uninitialized Variable
• CWE-665: Improper Initialization
• CWE-665: Improper Initialization
• CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
• CWE-909: Missing Initialization of Resource
• CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.