CWE-454
External Initialization of Trusted Variables or Data Stores
AI Translation Available
The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.
Status
draft
Abstraction
base
Affected Platforms
Not Language-Specific
PHP
Extended Description
AI Translation
A product system should be reluctant to trust variables that have been initialized outside of its trust boundary, especially if they are initialized by users. The variables may have been initialized incorrectly. If an attacker can initialize the variable, then they can influence what the vulnerable system will do.
Technical Details
AI Translation
Common Consequences
integrity
Impacts
modify application data
Detection Methods
automated static analysis
Potential Mitigations
Phases:
implementation
architecture and design
Descriptions:
•
Avoid any external control of variables. If necessary, restrict the variables that can be modified using an allowlist, and use a different namespace or naming convention if possible.
•
A product system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking (e.g. input validation) is performed when relying on input from outside a trust boundary.