CWE-1188 Details

CWE-1188

Initialization of a Resource with an Insecure Default
Incomplete
2019-06-20
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Benachrichtigungen für ein CWE
Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.
Benachrichtigungen verwalten

Name: Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Allgemeine Informationen

Einführungsmodi

Implementation : Developers often choose default values that leave the product as open and easy to use as possible out-of-the-box, under the assumption that the administrator can (or should) change the default value. However, this ease-of-use comes at a cost when the default is insecure and the administrator does not change it.
System Configuration

Anwendbare Plattformen

Sprache

Class: Not Language-Specific (Undetermined)

Häufige Konsequenzen

Bereich Auswirkung Wahrscheinlichkeit
OtherVaries by Context

Note: The impact of insecure defaults varies widely depending on the functionality that the product controls.

Beobachtete Beispiele

Referenzen Beschreibung

CVE-2022-36349

insecure default variable initialization in BIOS firmware for a hardware board allows DoS

CVE-2022-42467

A generic database browser interface has a default mode that exposes a web server to the network, allowing queries to the database.

Erkennungsmethoden

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Hinweise zur Schwachstellen-Zuordnung

Begründung : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Kommentar : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Verwandte Angriffsmuster

CAPEC-ID Name des Angriffsmusters
CAPEC-665 Exploitation of Thunderbolt Protection Flaws

Hinweise

This entry improves organization of concepts under initialization. The typical CWE model is to cover "Missing" and "Incorrect" behaviors. Arguably, this entry could be named as "Incorrect" instead of "Insecure." This might be changed in the near future.

Referenzen

REF-1493

Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure By Design Software
US Cybersecurity and Infrastructure Security Agency, US National Security Agency, US FBI, Australian Signals Directorate, Canadian Centre for Cyber Security, National Cyber Security Centre, OAS, NISC, CSA Singapore, CERT NZ, Norwegian Cyber Security Centre, Korea Internet & Security Agency, JPCERT/CC.
https://www.cisa.gov/sites/default/files/2023-10/SecureByDesign_1025_508c.pdf

Einreichung

Name Organisation Datum Veröffentlichungsdatum Version
CWE Content Team MITRE 2019-03-25 +00:00 2019-06-20 +00:00 3.3

Änderungen

Name Organisation Datum Kommentar
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2021-07-20 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Demonstrative_Examples, Name, Observed_Examples, Relationships
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Modes_of_Introduction, References, Relationships, Time_of_Introduction
Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.