Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-456 Variante Rascunho
Missing Initialization of a Variable
This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable data left over in memory.
Definição
What is CWE-456?
This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable data left over in memory.
Missing initialization is a common coding mistake that can lead to crashes, incorrect calculations, or security bypasses. The risk is highest when the uninitialized variable controls security logic, like an authentication flag, or influences critical operations. Developers should proactively initialize all variables upon declaration, especially those used in security checks or before any conditional assignment.
While SAST tools can detect this pattern, managing it across a large, evolving codebase is challenging. An ASPM platform like Plexicus uses AI to not only identify these flaws but also to suggest the precise code fix, automating remediation and saving significant manual review time.
Impacto no mundo real
Real-world CVEs caused by CWE-456
-
Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476)
-
Chain: secure communications library does not initialize a local variable for a data structure (CWE-456), leading to access of an uninitialized pointer (CWE-824).
-
Chain: C union member is not initialized (CWE-456), leading to access of invalid pointer (CWE-824)
-
Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476).
-
A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
-
Product uses uninitialized variables for size and index, leading to resultant buffer overflow.
-
Internal variable in PHP application is not initialized, allowing external modification.
-
Array variable not initialized in PHP application, leading to resultant SQL injection.
Como os atacantes a exploram
Trajeto do atacante passo a passo
- 1
This function attempts to extract a pair of numbers from a user-supplied string.
- 2
This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form:
- 3
then only the m variable will be initialized. Subsequent use of n may result in the use of an uninitialized variable (CWE-457).
- 4
Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown.
- 5
This code first authenticates a user, then allows a delete command if the user is an administrator.
Exemplo de código vulnerável
Vulnerable C
This function attempts to extract a pair of numbers from a user-supplied string.
void parse_data(char *untrusted_input){
int m, n, error;
error = sscanf(untrusted_input, "%d:%d", &m, &n);
if ( EOF == error ){
die("Did not specify integer value. Die evil hacker!\n");
}
```
/* proceed assuming n and m are initialized correctly */*
} Payload do atacante
This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form:
123: Exemplo de código seguro
Secure Java
However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code.
public class BankManager {
```
// user allowed to perform bank manager tasks*
private User user = null;
private boolean isUserAuthentic = false;
*// constructor for BankManager class*
public BankManager(String username) {
```
user = getUserFromUserDatabase(username);
}
```
// retrieve user from database of users*
public User getUserFromUserDatabase(String username) {...}
*// authenticate user*
public boolean authenticateUser(String username, String password) {
```
if (user == null) {
System.out.println("Cannot find user " + username);
}
else {
if (password.equals(user.getPassword())) {
isUserAuthentic = true;
}
}
return isUserAuthentic;
}
```
// methods for performing bank manager tasks*
...
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção
How to prevent CWE-456
- Implementation Ensure that critical variables are initialized before first use [REF-1485].
- Requirements Choose a language that is not susceptible to these issues.
Sinais de deteção
How to detect CWE-456
O Plexicus deteta automaticamente o CWE-456 e abre um PR de correção em menos de 60 segundos.
O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.
Perguntas frequentes O que é o CWE-456?
Qual a gravidade do CWE-456?
Que linguagens ou plataformas são afetadas pelo CWE-456?
Como posso prevenir o CWE-456?
Como é que o Plexicus deteta e corrige o CWE-456?
Onde posso saber mais sobre o CWE-456?
Frequently asked questions
O que é o CWE-456?
This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable data left over in memory.
Qual a gravidade do CWE-456?
A MITRE não publicou uma classificação de probabilidade de exploração para esta fraqueza. Trate-a como impacto médio até o seu modelo de ameaças provar o contrário.
Que linguagens ou plataformas são afetadas pelo CWE-456?
A MITRE não especificou as plataformas afetadas por este CWE — pode aplicar-se à maioria das stacks de aplicações.
Como posso prevenir o CWE-456?
Ensure that critical variables are initialized before first use [REF-1485]. Choose a language that is not susceptible to these issues.
Como é que o Plexicus deteta e corrige o CWE-456?
O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-456 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.
Onde posso saber mais sobre o CWE-456?
A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/456.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.
Fraquezas relacionadas
Weaknesses related to CWE-456
CWE-909 Pai
Missing Initialization of Resource
The software fails to properly set up a critical resource before using it.
CWE-1271 Irmão
Uninitialized Value on Reset for Registers Holding Security Settings
Security-critical hardware registers start with random, unpredictable values when a device powers on or resets, creating an immediate…
CWE-89 Pode preceder
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL Injection occurs when an application builds a database query using untrusted user input without properly sanitizing it. This allows an…
CWE-120 Pode preceder
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
This vulnerability occurs when a program copies data from one memory location to another without first verifying that the source data will…
CWE-98 Pode preceder
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
This vulnerability occurs when a PHP application uses unvalidated or insufficiently restricted user input directly within file inclusion…
CWE-457 Pode preceder
Use of Uninitialized Variable
This vulnerability occurs when a program accesses a variable before it has been assigned a value, leading to unpredictable behavior and…
Recursos
Further reading
- MITRE — CWE-456 oficial https://cwe.mitre.org/data/definitions/456.html
- Automated Source Code Reliability Measure (ASCRM) http://www.omg.org/spec/ASCRM/1.0/
- Automated Source Code Security Measure (ASCSM) http://www.omg.org/spec/ASCSM/1.0/
- uninitialized variable vulnerability - Problem with boolean variables that are forcibly initialized to false by the Java compiler https://github.com/windshock/uninitialized-variable-vulnerability/blob/main/README.md
- The Java Language Specification, Java SE 7 Edition https://docs.oracle.com/javase/specs/jls/se7/html/jls-4.html#jls-4.12.5
- D3FEND: D3-VI Variable Initialization https://d3fend.mitre.org/technique/d3f:VariableInitialization/
Pronto quando você estiver
Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.
O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.