{"@ID": "456", "@Name": "Missing Initialization of a Variable", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not initialize critical variables, which causes the execution environment to use unexpected values.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "909", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "665", "@View_ID": "1305", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "665", "@View_ID": "1340", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "89", "@View_ID": "1000"}, {"@Nature": "CanPrecede", "@CWE_ID": "120", "@View_ID": "1000"}, {"@Nature": "CanPrecede", "@CWE_ID": "98", "@View_ID": "1000"}, {"@Nature": "CanPrecede", "@CWE_ID": "457", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": [{"Ordinality": "Primary"}, {"Ordinality": "Indirect"}]}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation"}}, "Common_Consequences": {"Consequence": {"Scope": ["Integrity", "Other"], "Impact": ["Unexpected State", "Quality Degradation", "Varies by Context"], "Note": "The uninitialized data may be invalid, causing logic errors within the program. In some cases, this could result in a security problem."}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-57", "Phase": "Implementation", "Strategy": "Attack Surface Reduction", "Description": "Ensure that critical variables are initialized before first use [REF-1485]."}, {"Phase": "Requirements", "Strategy": "Language Selection", "Description": "Choose a language that is not susceptible to these issues."}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"Intro_Text": "This function attempts to extract a pair of numbers from a user-supplied string.", "Example_Code": [{"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "#text": "die(\"Did not specify integer value. Die evil hacker!\\n\");"}, "xhtml:i": "/* proceed assuming n and m are initialized correctly */", "#text": "int m, n, error;error = sscanf(untrusted_input, \"%d:%d\", &m, &n);if ( EOF == error ){}"}}, "#text": "void parse_data(char *untrusted_input){}"}}, {"@Nature": "Attack", "xhtml:div": "123:"}], "Body_Text": ["This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form:", "then only the m variable will be initialized. Subsequent use of n may result in the use of an uninitialized variable (CWE-457)."]}, {"Intro_Text": "Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null], "xhtml:i": ["// Do something interesting.", "// Throws NPE if user hasn't been properly initialized."], "#text": "...\n                           \n                           \n                           String username = user.getName();"}}, "#text": "private User user;public void someMethod() {}"}}}, {"Intro_Text": "This code first authenticates a user, then allows a delete command if the user is an administrator.", "Example_Code": {"@Nature": "Bad", "@Language": "PHP", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "#text": "$isAdmin = true;"}, {"@style": "margin-left:1em;", "#text": "deleteUser($userToDelete);"}], "xhtml:br": [null, null, null], "xhtml:i": "/.../", "#text": "if (authenticate($username,$password) && setAdmin($username)){}\n                     \n                     \n                     if ($isAdmin){}"}}, "Body_Text": "The $isAdmin variable is set to true if the user is an admin, but is uninitialized otherwise. If PHP's register_globals feature is enabled, an attacker can set uninitialized variables like $isAdmin to arbitrary values, in this case gaining administrator privileges by setting $isAdmin to true."}, {"Intro_Text": "In the following Java code the BankManager class uses the user variable of the class User to allow authorized users to perform bank manager tasks. The user variable is initialized within the method setUser that retrieves the User from the User database. The user is then authenticated as unauthorized user through the method authenticateUser.", "Example_Code": [{"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null], "xhtml:i": ["// user allowed to perform bank manager tasks", "// constructor for BankManager class", "// retrieve user from database of users", "// set user variable using username", "// authenticate user", "// methods for performing bank manager tasks"], "xhtml:div": [{"@style": "margin-left:1em;", "#text": "..."}, {"@style": "margin-left:1em;", "#text": "..."}, {"@style": "margin-left:1em;", "#text": "this.user = getUserFromUserDatabase(username);"}, {"@style": "margin-left:1em;", "xhtml:div": {"@style": "margin-left:1em;", "#text": "isUserAuthentic = true;"}, "xhtml:br": null, "#text": "if (username.equals(user.getUsername()) && password.equals(user.getPassword())) {}return isUserAuthentic;"}], "#text": "private User user = null;private boolean isUserAuthentic = false;\n                           \n                           \n                           public BankManager() {}\n                           \n                           \n                           public User getUserFromUserDatabase(String username){}\n                           \n                           \n                           public void setUser(String username) {}\n                           \n                           \n                           public boolean authenticateUser(String username, String password) {}\n                           \n                           \n                           ..."}}, "#text": "public class BankManager {\n                     }"}}, {"@Nature": "Good", "@Language": "Java", "xhtml:div": {"xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null, null, null, null, null, null, null], "xhtml:i": ["// user allowed to perform bank manager tasks", "// constructor for BankManager class", "// retrieve user from database of users", "// authenticate user"], "xhtml:div": [{"@style": "margin-left:1em;", "#text": "user = getUserFromUserDatabase(username);"}, {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "#text": "System.out.println(\"Cannot find user \" + username);"}, {"@style": "margin-left:1em;", "xhtml:div": {"@style": "margin-left:1em;", "#text": "isUserAuthentic = true;"}, "#text": "if (password.equals(user.getPassword())) {}"}], "xhtml:br": [null, null], "#text": "if (user == null) {}else {}return isUserAuthentic;"}}, {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null], "xhtml:i": "// methods for performing bank manager tasks", "#text": "..."}}], "#text": "private User user = null;private boolean isUserAuthentic = false;\n                           \n                           \n                           public BankManager(String username) {}\n                           \n                           \n                           public User getUserFromUserDatabase(String username) {...}\n                           \n                           \n                           public boolean authenticateUser(String username, String password) {}"}}, "#text": "public class BankManager {\n                     }"}}], "Body_Text": "However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code."}, {"@Demonstrative_Example_ID": "DX-144", "Intro_Text": "This example will leave test_string in an\n\t\t\t  unknown condition when i is the same value as err_val,\n\t\t\t  because test_string is not initialized\n\t\t\t  (CWE-456). Depending on where this code segment appears\n\t\t\t  (e.g. within a function body), test_string might be\n\t\t\t  random if it is stored on the heap or stack. If the\n\t\t\t  variable is declared in static memory, it might be zero\n\t\t\t  or NULL. Compiler optimization might contribute to the\n\t\t\t  unpredictability of this address.", "Example_Code": [{"@Nature": "Bad", "@Language": "C", "xhtml:br": [null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "#text": "test_string = \"Hello World!\";"}, "#text": "char *test_string;\n                if (i != err_val)\n                {\n                \n                }\n                printf(\"%s\", test_string);"}, {"@Nature": "Good", "@Language": "C", "xhtml:br": [null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "#text": "test_string = \"Hello World!\";"}, "#text": "char *test_string = \"Done at the beginning\";\n\t\t\t\tif (i != err_val)\n\t\t\t\t{\n\t\t\t\t\n\t\t\t\t}\n\t\t\t\tprintf(\"%s\", test_string);"}, {"@Nature": "Good", "@Language": "C", "xhtml:br": [null, null, null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "#text": "test_string = \"Hello World!\";"}, {"@style": "margin-left:1em;", "#text": "test_string = \"Done on the other side!\";"}], "#text": "char *test_string;\n\t\t\t\tif (i != err_val)\n\t\t\t\t{\n\t\t\t\t\n\t\t\t\t}\n\t\t\t\telse {\n\t\t\t\t\n\t\t\t\t}\n\t\t\t\tprintf(\"%s\", test_string);"}], "Body_Text": [{"xhtml:p": ["When the printf() is reached,\n              test_string might be an unexpected address, so the\n              printf might print junk strings (CWE-457).", "To fix this code, there are a couple approaches to\n\t\t\t  making sure that test_string has been properly set once\n\t\t\t  it reaches the printf().", "One solution would be to set test_string to an\n\t\t\t  acceptable default before the conditional:"]}, "Another solution is to ensure that each\n\t\t\t  branch of the conditional - including the default/else\n\t\t\t  branch - could ensure that test_string is set:"]}, {"Intro_Text": {"xhtml:p": "Consider the following merchant server application as implemented in\n\t\t\t  [REF-1475]. It receives card payment information (orderPgData instance\n\t\t\t  in OrderPgData.java) from the payment gateway (such as PayPal). The\n\t\t\t  next step is to complete the payment (finalizeOrder() in\n\t\t\t  Main.java). The merchant server validates the amount (validateAmount()\n\t\t\t  in OrderPgData.java), and if the validation is successful, then the\n\t\t\t  payment is completed."}, "Example_Code": [{"@Nature": "Bad", "@Language": "Java", "xhtml:br": [null, null, null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "return this.isPaymentAmountTampered;"}, "#text": "public boolean getIsPaymentAmountTampered() {\n\t\t\t\t\n\t\t\t\t}"}, "#text": "String PgType;\n\t\t\t      int productPrice;\n\t\t\t      int paymentAmount;\n\t\t\t      private boolean isPaymentAmountTampered;\n\t\t\t      \n\t\t\t      ..."}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "... [sets this.setIsPaymentAmountTampered to true or false depending on whether the product price matches the payment amount]"}], "#text": "File: OrderPgData.java\n\t\t\t    \n\t\t\t    public class OrderPgData {\n\t\t\t    \n\t\t\t    public void validateAmount() {\n\t\t\t    \n\t\t\t    }"}, {"@Nature": "Bad", "@Language": "Java", "xhtml:br": [null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null], "#text": "System.out.println(\"In \"+pgType+\" payment logic, orderPgData does not verify whether the product amount and payment amount have been tampered with.\");\n\t\t\t\t    break;"}, {"@style": "margin-left:1em;", "xhtml:br": [null, null, null], "#text": "System.out.println(\"In \"+pgType+\" payment logic, orderPgData verifies whether the product amount and payment amount have been tampered with.\");\n\t\t\t\t    orderPgData.validateAmount();\n\t\t\t\t    break;"}], "#text": "case \"card\":\n\t\t\t\t  \n\t\t\t\t  case \"paypal\":\n\t\t\t\t  \n\t\t\t\t  }\n\t\t\t\t  ..."}, "#text": "...\n\t\t\t\tswitch(pgType) {"}, "#text": "public OrderPgData getOrderPgDataByPgType(String pgType, int productPrice, int paymentAmount) {"}, "#text": "File: PgServiceResolver.java\n\t\t\t    \n\t\t\t    public class PgServiceResolver {"}, {"@Nature": "Bad", "@Language": "Java", "xhtml:br": [null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null, null, null], "#text": "String pgType = \"card\"; // or paypal\n\t\t\t\tint productPrice = 100;\n\t\t\t\tint paymentAmount = 10;\n\t\t\t\tPgServiceResolver pgServiceResolver = new PgServiceResolver();\n\t\t\t\tOrderPgData orderPgData = pgServiceResolver.getOrderPgDataByPgType(pgType, productPrice, paymentAmount);\n\t\t\t\tfinalizeOrder(orderPgData);"}, {"@style": "margin-left:1em;", "xhtml:br": [null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": null, "#text": "System.out.println(\"The attacker tampered with the payment amount, but product payment is canceled.\");"}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "... /* the product payment is completed */"}], "#text": "if (orderPgData.getIsPaymentAmountTampered()) {\n\t\t\t\t\n\t\t\t\t} else {\n\t\t\t\t\n\t\t\t\t}"}], "xhtml:br": [null, null], "#text": "public static void main(String[] args) {\n\t\t\t      \n\t\t\t      }\n\t\t\t      private static void finalizeOrder(OrderPgData orderPgData) {\n\t\t\t      \n\t\t\t      }"}, "#text": "File: Main.java\n\t\t\t    \n\t\t\t    public class Main {\n\t\t\t    \n\t\t\t    }"}, {"@Nature": "Good", "@Language": "Java", "xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "#text": "private boolean isPaymentAmountTampered = true;"}, "#text": "File: OrderPgData.java\n\t\t\t    ..."}], "Body_Text": [{"xhtml:p": ["In PgServiceResolver.java, when pgType is \"card\" indicating a card\n\t\t\t    payment, orderPgData.validateAmount() is not called - that is, the\n\t\t\t    amount is not validated to be the same as the expected price.", "Since isPaymentAmountTampered is declared as a private boolean, but it\n\t\t\t    is not initialized, it is forcibly initialized to false by the Java\n\t\t\t    compiler [REF-1476].", "If the adversary modifies the price, e.g., changing paymentAmount from\n\t\t\t    100 to 10, then no validation is performed. Since\n\t\t\t    isPaymentAmountTampered is \"false\" because of the default\n\t\t\t    initialization, the code finishes processing the payment because it\n\t\t\t    does not believe that the amount has been changed."]}, {"xhtml:p": "This weakness could be addressed by setting the value of\n\t\t\t    isPaymentAmountTampered to true. This is a \"secure-by-default\" value\n\t\t\t    that reflects a \"default deny\" policy - i.e., it's assumed that the\n\t\t\t    payment amount is tampered, and only a special validation step can\n\t\t\t    change this assumption."}]}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2020-6078", "Description": "Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476)", "Link": "https://www.cve.org/CVERecord?id=CVE-2020-6078"}, {"Reference": "CVE-2019-3836", "Description": "Chain: secure communications library does not initialize a local variable for a data structure (CWE-456), leading to access of an uninitialized pointer (CWE-824).", "Link": "https://www.cve.org/CVERecord?id=CVE-2019-3836"}, {"Reference": "CVE-2018-14641", "Description": "Chain: C union member is not initialized (CWE-456), leading to access of invalid pointer (CWE-824)", "Link": "https://www.cve.org/CVERecord?id=CVE-2018-14641"}, {"Reference": "CVE-2009-2692", "Description": "Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476)", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-2692"}, {"Reference": "CVE-2020-20739", "Description": "A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage", "Link": "https://www.cve.org/CVERecord?id=CVE-2020-20739"}, {"Reference": "CVE-2005-2978", "Description": "Product uses uninitialized variables for size and index, leading to resultant buffer overflow.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-2978"}, {"Reference": "CVE-2005-2109", "Description": "Internal variable in PHP application is not initialized, allowing external modification.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-2109"}, {"Reference": "CVE-2005-2193", "Description": "Array variable not initialized in PHP application, leading to resultant SQL injection.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-2193"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Missing Initialization"}, {"@Taxonomy_Name": "Software Fault Patterns", "Entry_ID": "SFP1", "Entry_Name": "Glitch in computation"}, {"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "ERR30-C", "Entry_Name": "Set errno to zero before calling a library function known to set errno,  and check errno only after the function returns a value indicating failure", "Mapping_Fit": "CWE More Abstract"}, {"@Taxonomy_Name": "SEI CERT Perl Coding Standard", "Entry_ID": "DCL04-PL", "Entry_Name": "Always initialize local variables", "Mapping_Fit": "Exact"}, {"@Taxonomy_Name": "SEI CERT Perl Coding Standard", "Entry_ID": "DCL33-PL", "Entry_Name": "Declare identifiers before using them", "Mapping_Fit": "Imprecise"}, {"@Taxonomy_Name": "OMG ASCSM", "Entry_ID": "ASCSM-CWE-456"}, {"@Taxonomy_Name": "OMG ASCRM", "Entry_ID": "ASCRM-CWE-456"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-62", "@Section": "Chapter 7, \"Variable Initialization\", Page 312"}, {"@External_Reference_ID": "REF-961", "@Section": "ASCRM-CWE-456"}, {"@External_Reference_ID": "REF-962", "@Section": "ASCSM-CWE-456"}, {"@External_Reference_ID": "REF-1475"}, {"@External_Reference_ID": "REF-1476"}, {"@External_Reference_ID": "REF-1485"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": [{"@Type": "Relationship", "#text": "This weakness is a major factor in a number of resultant weaknesses, especially in web applications that allow global variable initialization (such as PHP) with libraries that can be directly requested."}, {"@Type": "Research Gap", "#text": "It is highly likely that a large number of resultant weaknesses have missing initialization as a primary factor, but researcher reports generally do not provide this level of detail."}]}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Sean Eidemiller", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "added/updated demonstrative examples"}, {"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Potential_Mitigations, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Other_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-04-05", "Modification_Version": "1.8.1", "Modification_ReleaseDate": "2010-04-05", "Modification_Comment": "updated Applicable_Platforms, Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-06-21", "Modification_Version": "1.9", "Modification_ReleaseDate": "2010-06-21", "Modification_Comment": "updated Other_Notes, Relationship_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-27", "Modification_Version": "2.0", "Modification_ReleaseDate": "2011-06-27", "Modification_Comment": "updated Common_Consequences, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2013-02-21", "Modification_Version": "2.4", "Modification_ReleaseDate": "2013-02-21", "Modification_Comment": "updated Name, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated References, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Relationships, Type"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-06-25", "Modification_Version": "4.1", "Modification_ReleaseDate": "2020-06-25", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-12-10", "Modification_Version": "4.3", "Modification_ReleaseDate": "2020-12-10", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-03-15", "Modification_Version": "4.4", "Modification_ReleaseDate": "2021-03-15", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-04-03", "Modification_Version": "4.17", "Modification_ReleaseDate": "2025-04-03", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated Potential_Mitigations, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Weakness_Ordinalities"}], "Contribution": {"@Type": "Content", "Contribution_Name": "Hyeongkwan Lee", "Contribution_Organization": "SK Planet", "Contribution_Date": "2022-09-13", "Contribution_Version": "4.17", "Contribution_ReleaseDate": "2025-04-03", "Contribution_Comment": "provided demonstratuve example for Java boolean variables"}, "Previous_Entry_Name": {"@Date": "2013-02-21", "#text": "Missing Initialization"}}}
