CWE-665
DiscouragedImproper Initialization
Abstraction: Class · Status: Draft
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
426 vulnerabilities reference this CWE, most recent first.
GHSA-CVVQ-2X6W-G26J
Vulnerability from github – Published: 2023-11-01 12:30 – Updated: 2023-11-01 12:30Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via overwriting uninitialised variables.
{
"affected": [],
"aliases": [
"CVE-2023-1719"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-01T10:15:09Z",
"severity": "HIGH"
},
"details": "Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim\u0027s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via overwriting uninitialised variables.",
"id": "GHSA-cvvq-2x6w-g26j",
"modified": "2023-11-01T12:30:19Z",
"published": "2023-11-01T12:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1719"
},
{
"type": "WEB",
"url": "https://starlabs.sg/advisories/23/23-1719"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CX9H-V29M-9V3M
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-10-27 19:00Adobe Photoshop versions 21.2.9 (and earlier) and 22.4.2 (and earlier) are affected by an Improper input validation vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2021-36006"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-20T19:15:00Z",
"severity": "LOW"
},
"details": "Adobe Photoshop versions 21.2.9 (and earlier) and 22.4.2 (and earlier) are affected by an Improper input validation vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-cx9h-v29m-9v3m",
"modified": "2022-10-27T19:00:40Z",
"published": "2022-05-24T19:11:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36006"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/photoshop/apsb21-63.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CXX4-W85R-9FXH
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to the way memory addresses are handled, aka "Windows Kernel Information Disclosure Vulnerability". This CVE is unique from CVE-2018-0811, CVE-2018-0813, CVE-2018-0814, CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, and CVE-2018-0901.
{
"affected": [],
"aliases": [
"CVE-2018-0926"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-14T17:29:00Z",
"severity": "MODERATE"
},
"details": "The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to the way memory addresses are handled, aka \"Windows Kernel Information Disclosure Vulnerability\". This CVE is unique from CVE-2018-0811, CVE-2018-0813, CVE-2018-0814, CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, and CVE-2018-0901.",
"id": "GHSA-cxx4-w85r-9fxh",
"modified": "2022-05-13T01:18:37Z",
"published": "2022-05-13T01:18:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0926"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0926"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103247"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040517"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F263-5JV5-V234
Vulnerability from github – Published: 2022-05-04 00:27 – Updated: 2022-05-04 00:27Microsoft Internet Explorer 9 does not properly handle the creation and initialization of string objects, which allows remote attackers to read data from arbitrary process-memory locations via a crafted web site, aka "Null Byte Information Disclosure Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2012-0012"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-02-14T22:55:00Z",
"severity": "MODERATE"
},
"details": "Microsoft Internet Explorer 9 does not properly handle the creation and initialization of string objects, which allows remote attackers to read data from arbitrary process-memory locations via a crafted web site, aka \"Null Byte Information Disclosure Vulnerability.\"",
"id": "GHSA-f263-5jv5-v234",
"modified": "2022-05-04T00:27:41Z",
"published": "2022-05-04T00:27:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0012"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-010"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14870"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA12-045A.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F26G-RGWG-4VXW
Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.To exploit this vulnerability, an authenticated attacker could run a specially crafted application, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-0702, CVE-2019-0755, CVE-2019-0775, CVE-2019-0782.
{
"affected": [],
"aliases": [
"CVE-2019-0767"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-09T02:29:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.To exploit this vulnerability, an authenticated attacker could run a specially crafted application, aka \u0027Windows Kernel Information Disclosure Vulnerability\u0027. This CVE ID is unique from CVE-2019-0702, CVE-2019-0755, CVE-2019-0775, CVE-2019-0782.",
"id": "GHSA-f26g-rgwg-4vxw",
"modified": "2022-05-13T01:21:33Z",
"published": "2022-05-13T01:21:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0767"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0767"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F28H-RXHW-4349
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44Softaculous before 5.5.7 is affected by a code execution vulnerability because of External Initialization of Trusted Variables or Data Stores. This leads to privilege escalation on the local host.
{
"affected": [],
"aliases": [
"CVE-2020-26886"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-18T20:15:00Z",
"severity": "HIGH"
},
"details": "Softaculous before 5.5.7 is affected by a code execution vulnerability because of External Initialization of Trusted Variables or Data Stores. This leads to privilege escalation on the local host.",
"id": "GHSA-f28h-rxhw-4349",
"modified": "2022-05-24T17:44:47Z",
"published": "2022-05-24T17:44:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26886"
},
{
"type": "WEB",
"url": "https://vulnerable.af"
},
{
"type": "WEB",
"url": "https://vulnerable.af/posts/cve-2020-26886"
},
{
"type": "WEB",
"url": "https://www.softaculous.com/board/index.php?tid=17086\u0026title=Softaculous_5.5.7_Launched"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F2FF-VVQC-39WR
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53An uninitialised stack variable in the nxfuse component that is part of the Open Source DokanFS library shipped with NoMachine 6.0.66_2 and earlier allows a local low privileged user to gain elevation of privileges on Windows 7 (32 and 64bit), and denial of service for Windows 8 and 10.
{
"affected": [],
"aliases": [
"CVE-2018-6947"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-28T22:29:00Z",
"severity": "HIGH"
},
"details": "An uninitialised stack variable in the nxfuse component that is part of the Open Source DokanFS library shipped with NoMachine 6.0.66_2 and earlier allows a local low privileged user to gain elevation of privileges on Windows 7 (32 and 64bit), and denial of service for Windows 8 and 10.",
"id": "GHSA-f2ff-vvqc-39wr",
"modified": "2022-05-13T01:53:14Z",
"published": "2022-05-13T01:53:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6947"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44167"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44168"
},
{
"type": "WEB",
"url": "https://www.fidusinfosec.com/nomachine-road-code-execution-without-fuzzing-cve-2018-6947"
},
{
"type": "WEB",
"url": "https://www.nomachine.com/SU02P00194"
},
{
"type": "WEB",
"url": "https://www.nomachine.com/SU02P00195"
},
{
"type": "WEB",
"url": "https://www.nomachine.com/TR02P08408"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F2J2-5FH3-4JRR
Vulnerability from github – Published: 2022-05-14 04:01 – Updated: 2025-04-20 03:49Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.
{
"affected": [],
"aliases": [
"CVE-2017-15897"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-11T21:29:00Z",
"severity": "MODERATE"
},
"details": "Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, \u0027Buffer.alloc(0x100, \"This is not correctly encoded\", \"hex\");\u0027 The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.",
"id": "GHSA-f2j2-5fh3-4jrr",
"modified": "2025-04-20T03:49:47Z",
"published": "2022-05-14T04:01:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15897"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/december-2017-security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F3QM-7J3M-GGR7
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to the way memory addresses are handled, aka "Windows Kernel Information Disclosure Vulnerability". This CVE is unique from CVE-2018-0811, CVE-2018-0813, CVE-2018-0814, CVE-2018-0894, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, CVE-2018-0901 and CVE-2018-0926.
{
"affected": [],
"aliases": [
"CVE-2018-0895"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-14T17:29:00Z",
"severity": "MODERATE"
},
"details": "The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to the way memory addresses are handled, aka \"Windows Kernel Information Disclosure Vulnerability\". This CVE is unique from CVE-2018-0811, CVE-2018-0813, CVE-2018-0814, CVE-2018-0894, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, CVE-2018-0901 and CVE-2018-0926.",
"id": "GHSA-f3qm-7j3m-ggr7",
"modified": "2022-05-13T01:18:36Z",
"published": "2022-05-13T01:18:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0895"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0895"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44309"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103238"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040517"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F4MR-H274-9W8H
Vulnerability from github – Published: 2023-09-20 18:30 – Updated: 2025-06-28 00:31Improper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local access.
{
"affected": [],
"aliases": [
"CVE-2023-20594"
],
"database_specific": {
"cwe_ids": [
"CWE-665",
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-20T18:15:12Z",
"severity": "MODERATE"
},
"details": "Improper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local access.",
"id": "GHSA-f4mr-h274-9w8h",
"modified": "2025-06-28T00:31:10Z",
"published": "2023-09-20T18:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20594"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-4007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile your product with settings that generate warnings about uninitialized variables or data.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.