{"@ID": "1188", "@Name": "Initialization of a Resource with an Insecure Default", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "1419", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "344", "@View_ID": "1000"}, {"@Nature": "ChildOf", "@CWE_ID": "665", "@View_ID": "1003", "@Ordinal": "Primary"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Implementation", "Note": "Developers often choose default values that leave the product as open and easy to use as possible out-of-the-box, under the assumption that the administrator can (or should) change the default value.  However, this ease-of-use comes at a cost when the default is insecure and the administrator does not change it."}, {"Phase": "System Configuration"}]}, "Common_Consequences": {"Consequence": {"Scope": "Other", "Impact": "Varies by Context", "Note": "The impact of insecure defaults varies widely\n\t       depending on the functionality that the product\n\t       controls."}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)"}}, "Demonstrative_Examples": {"Demonstrative_Example": {"@Demonstrative_Example_ID": "DX-163", "Intro_Text": "This code attempts to login a user using credentials from a POST request:", "Example_Code": [{"@Nature": "Bad", "@Language": "PHP", "xhtml:div": {"xhtml:br": [null, null, null, null, null], "xhtml:i": ["// $user and $pass automatically set from POST request", "..."], "xhtml:div": [{"@style": "margin-left:1em;", "#text": "$authorized = true;"}, {"@style": "margin-left:1em;", "#text": "generatePage();"}], "#text": "if (login_user($user,$pass)) {}\n                    \n                    \n                  if ($authorized) {}"}}, {"@Nature": "Good", "@Language": "PHP", "xhtml:div": {"xhtml:br": [null, null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "#text": "$authorized = true;"}, "xhtml:i": "...", "#text": "$user = $_POST['user'];$pass = $_POST['pass'];$authorized = false;if (login_user($user,$pass)) {}"}}], "Body_Text": ["Because the $authorized variable is never initialized, PHP will automatically set $authorized to any value included in the POST request if register_globals is enabled. An attacker can send a POST request with an unexpected third value 'authorized' set to 'true' and gain authorized status without supplying valid credentials.", "Here is a fixed version:", "This code avoids the issue by initializing the $authorized variable to false and explicitly retrieving the login credentials from the $_POST variable. Regardless, register_globals should never be enabled and is disabled by default in current versions of PHP."]}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2022-36349", "Description": "insecure default variable initialization in BIOS firmware for a hardware board allows DoS", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-36349"}, {"Reference": "CVE-2022-42467", "Description": "A generic database browser interface has a default mode that exposes a web server to the network, allowing queries to the database.", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-42467"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": {"@CAPEC_ID": "665"}}, "References": {"Reference": {"@External_Reference_ID": "REF-1493"}}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Maintenance", "#text": "This entry improves organization of concepts under initialization.  The typical CWE model is to cover \"Missing\" and \"Incorrect\" behaviors.  Arguably, this entry could be named as \"Incorrect\" instead of \"Insecure.\"  This might be changed in the near future."}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2019-03-25", "Submission_Version": "3.3", "Submission_ReleaseDate": "2019-06-20"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-07-20", "Modification_Version": "4.5", "Modification_ReleaseDate": "2021-07-20", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Demonstrative_Examples, Name, Observed_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Modes_of_Introduction, References, Relationships, Time_of_Introduction"}], "Contribution": {"@Type": "Content", "Contribution_Name": "Anonymous External Contributor", "Contribution_Date": "2023-10-13", "Contribution_Comment": "Suggested name change for clarity"}, "Previous_Entry_Name": {"@Date": "2023-10-26", "#text": "Insecure Default Initialization of Resource"}}}
