目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-457 使用未经初始化的变量 类漏洞列表 122

CWE-457 使用未经初始化的变量 类弱点 122 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-457 属于使用未初始化变量的漏洞。在 C/C++ 等语言中,栈变量默认未初始化,可能包含内存残留的垃圾数据。攻击者可通过读取或控制这些内容,导致程序行为不可预测,进而引发信息泄露或逻辑错误。开发者应确保所有变量在使用前显式初始化,并启用编译器警告以检测潜在风险,从而消除不确定性带来的安全隐患。

MITRE CWE 官方描述
CWE:CWE-457 使用未初始化的变量(Use of Uninitialized Variable) 英文:代码使用了未初始化的变量,导致不可预测或非预期的结果。 在某些语言(如 C 和 C++)中,栈变量(stack variables)默认不会进行初始化。它们通常包含垃圾数据(junk data),即函数被调用前栈内存(stack memory)的内容。攻击者有时可以控制或读取这些内容。在其他语言或条件下,未显式初始化的变量可能会被赋予具有安全影响的默认值,这取决于程序的逻辑。未初始化变量的存在有时可能表明代码中存在拼写错误。
常见影响 (2)
Availability, Integrity, OtherOther
Initial variables usually contain junk, which can not be trusted for consistency. This can lead to denial of service conditions, or modify control flow in unexpected ways. In some cases, an attacker can "pre-initialize" the variable using previous actions, which might enable code execution. This can…
Authorization, OtherOther
Strings that are not initialized are especially dangerous, since many functions expect a null at the end -- and only at the end -- of a string.
缓解措施 (5)
ImplementationEnsure that critical variables are initialized before first use [REF-1485].
Build and CompilationMost compilers will complain about the use of uninitialized variables if warnings are turned on.
Implementation, OperationWhen using a language that does not require explicit declaration of variables, run or compile the software in a mode that reports undeclared or unknown variables. This may indicate the presence of a typographic error in the variable's name.
RequirementsChoose a language that is not susceptible to these issues.
Architecture and DesignMitigating technologies such as safe string libraries and container abstractions could be introduced.
代码示例 (2)
This code prints a greeting using information stored in a POST request:
if (isset($_POST['names'])) { $nameArray = $_POST['names']; } echo "Hello " . $nameArray['first'];
Bad · PHP
The following switch statement is intended to set the values of the variables aN and bN before they are used:
int aN, Bn; switch (ctl) { case -1: aN = 0; bN = 0; break; case 0: aN = i; bN = -i; break; case 1: aN = i + NEXT_SZ; bN = i - NEXT_SZ; break; default: aN = -1; aN = -1; break; } repaint(aN, bN);
Bad · C
CVE ID标题CVSS风险等级Published
CVE-2019-1010319 WavPack 安全漏洞 — WavPack 7.1 -2019-07-11
CVE-2019-11038 PHP GD Graphics Library 输入验证错误漏洞 — PHP 5.3 -2019-06-18

CWE-457(使用未经初始化的变量) 是常见的弱点类别,本平台收录该类弱点关联的 122 条 CVE 漏洞。