目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-908 对未经初始化资源的使用 类漏洞列表 131

CWE-908 对未经初始化资源的使用 类弱点 131 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-908 属于资源使用不当漏洞,指程序访问或操作未初始化的资源。攻击者通常利用此缺陷触发程序崩溃、非法内存访问或引发不可预期的异常行为,进而可能导致拒绝服务或进一步利用。开发者应避免此类问题,需在访问资源前确保其已完成正确的初始化流程,并增加对资源状态的严格检查与错误处理机制,以保障系统的稳定性与安全性。

MITRE CWE 官方描述
CWE:CWE-908 使用未初始化的资源(Use of Uninitialized Resource) 英文:产品使用了或访问了一个尚未初始化的资源。 当资源未被正确初始化时,产品可能会出现意外行为。这可能导致崩溃或无效内存访问,但其后果因资源类型及其在产品中的使用方式而异。
常见影响 (2)
ConfidentialityRead Memory, Read Application Data
When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
AvailabilityDoS: Crash, Exit, or Restart
The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.
缓解措施 (4)
ImplementationExplicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
ImplementationPay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
ImplementationAvoid race conditions (CWE-362) during initialization routines.
Build and CompilationRun or compile the product with settings that generate warnings about uninitialized variables or data.
代码示例 (2)
Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.
private boolean initialized = true; public void someMethod() { if (!initialized) { // perform initialization tasks ... initialized = true; }
Bad · Java
The following code intends to limit certain operations to the administrator only.
$username = GetCurrentUser(); $state = GetStateData($username); if (defined($state)) { $uid = ExtractUserID($state); } # do stuff if ($uid == 0) { DoAdminThings(); }
Bad · Perl
CVE ID标题CVSS风险等级Published
CVE-2023-32016 Microsoft Windows Installer 安全漏洞 — Windows 10 Version 1809 5.5 Medium2023-06-13
CVE-2023-29367 Microsoft iSCSI Target WMI Provider 安全漏洞 — Windows Server 2019 7.8 High2023-06-13
CVE-2023-24941 Microsoft Windows Network File System 安全漏洞 — Windows Server 2019 9.8 Critical2023-05-09
CVE-2023-24886 Microsoft PostScript Printer Driver安全漏洞 — Windows 10 Version 1809 8.8 High2023-04-11
CVE-2023-27598 OpenSIPS 安全漏洞 — opensips 7.5 High2023-03-15
CVE-2023-23413 Microsoft PostScript Printer Driver 安全漏洞 — Windows 10 Version 1809 8.8 High2023-03-14
CVE-2021-32845 HyperKit 安全漏洞 — hyperkit 7.7 High2023-02-17
CVE-2021-32846 HyperKit 代码问题漏洞 — hyperkit 7.7 High2023-02-17
CVE-2023-22281 F5 BIG-IP AFM 安全漏洞 — BIG-IP 7.5 High2023-02-01
CVE-2023-21753 Microsoft Windows 安全漏洞 — Windows 10 Version 1809 5.5 Medium2023-01-10
CVE-2020-36617 Green End SFTP Server 安全漏洞 — sftpserver 4.6 Medium2022-12-18
CVE-2022-2949 Altair HyperView Player 安全漏洞 — HyperView Player 7.8 High2022-12-13
CVE-2022-2950 Altair HyperView Player 安全漏洞 — HyperView Player 7.8 High2022-12-13
CVE-2022-39282 FreeRDP 安全漏洞 — FreeRDP 3.5 Low2022-10-12
CVE-2022-29240 Scylla 安全漏洞 — scylla 8.1 High2022-09-15
CVE-2020-27795 radare2 安全漏洞 — radare2 7.5 -2022-08-19
CVE-2021-3435 Zephyr 安全漏洞 — zephyr 4.0 Medium2022-06-28
CVE-2022-31026 Trilogy 安全漏洞 — trilogy 5.9 Medium2022-06-06
CVE-2022-29205 Google TensorFlow 安全漏洞 — tensorflow 5.5 Medium2022-05-20
CVE-2022-26370 F5 BIG-IP 安全漏洞 — BIG-IP 5.9 Medium2022-05-05
CVE-2022-0433 Linux kernel 代码问题漏洞 — kernel 5.5 -2022-03-09
CVE-2022-23573 Google Tensorflow 安全漏洞 — tensorflow 7.6 High2022-02-04
CVE-2021-43848 h2o 安全漏洞 — h2o 7.4 High2022-02-01
CVE-2021-41225 Google TensorFlow 安全漏洞 — tensorflow 5.5 Medium2021-11-05
CVE-2021-34855 Corel Parallels Desktop 信息泄露漏洞 — Desktop 6.5 -2021-10-25
CVE-2021-21781 Linux kernel安全漏洞 — Linux Kernel 4.3 -2021-08-18
CVE-2021-37682 Google TensorFlow 代码问题漏洞 — tensorflow 4.4 Medium2021-08-12
CVE-2021-3545 QEMU 信息泄露漏洞 — QEMU 6.5 -2021-06-02
CVE-2018-25014 libwebp 安全漏洞 — libwebp 9.8 -2021-05-21
CVE-2021-29580 Google TensorFlow 安全漏洞 — tensorflow 2.5 Low2021-05-14

CWE-908(对未经初始化资源的使用) 是常见的弱点类别,本平台收录该类弱点关联的 131 条 CVE 漏洞。