CWE-909
Allowed-with-ReviewMissing Initialization of Resource
Abstraction: Class · Status: Incomplete
The product does not initialize a critical resource.
96 vulnerabilities reference this CWE, most recent first.
GHSA-QH4P-3MHW-2CP7
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-07-31 00:00Missing initialization of a variable in the TPM2 source may allow a privileged user to potentially enable an escalation of privilege via local access. This affects tpm2-tss before 3.0.1 and before 2.4.3.
{
"affected": [],
"aliases": [
"CVE-2020-24455"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-26T03:15:00Z",
"severity": "MODERATE"
},
"details": "Missing initialization of a variable in the TPM2 source may allow a privileged user to potentially enable an escalation of privilege via local access. This affects tpm2-tss before 3.0.1 and before 2.4.3.",
"id": "GHSA-qh4p-3mhw-2cp7",
"modified": "2022-07-31T00:00:59Z",
"published": "2022-05-24T17:43:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24455"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1902167"
},
{
"type": "WEB",
"url": "https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.3"
},
{
"type": "WEB",
"url": "https://github.com/tpm2-software/tpm2-tss/releases/tag/3.0.1"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KPOENCMJU4DMT3BDNUBRK25B3DJ47UO"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QP9M-6WGH-QQFW
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:05In libavc, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111208713
{
"affected": [],
"aliases": [
"CVE-2019-9321"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-27T19:15:00Z",
"severity": "MODERATE"
},
"details": "In libavc, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111208713",
"id": "GHSA-qp9m-6wgh-qqfw",
"modified": "2024-04-04T02:05:38Z",
"published": "2022-05-24T16:57:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9321"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QQQC-X237-8GF8
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2025-04-11 03:41The viafb_ioctl_get_viafb_info function in drivers/video/via/ioctl.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a VIAFB_GET_INFO ioctl call.
{
"affected": [],
"aliases": [
"CVE-2010-4082"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-11-30T22:14:00Z",
"severity": "LOW"
},
"details": "The viafb_ioctl_get_viafb_info function in drivers/video/via/ioctl.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a VIAFB_GET_INFO ioctl call.",
"id": "GHSA-qqqc-x237-8gf8",
"modified": "2025-04-11T03:41:28Z",
"published": "2022-05-13T01:23:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4082"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=648671"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=b4aaa78f4c2f9cde2f335b14f4ca30b01f9651ca"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b4aaa78f4c2f9cde2f335b14f4ca30b01f9651ca"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00004.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html"
},
{
"type": "WEB",
"url": "http://lkml.indiana.edu/hypermail//linux/kernel/1009.1/03392.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42778"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42801"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42890"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42932"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v2.6/testing/v2.6.36/ChangeLog-2.6.36-rc5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2010/09/25/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2010/10/06/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2010/10/07/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2010/10/25/3"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0958.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0007.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/43817"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0012"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0124"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0298"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R7QR-VHFP-52C9
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2025-04-11 03:44The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 does not initialize a certain response buffer, which allows local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649.
{
"affected": [],
"aliases": [
"CVE-2011-1044"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-02-18T20:00:00Z",
"severity": "LOW"
},
"details": "The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 does not initialize a certain response buffer, which allows local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649.",
"id": "GHSA-r7qr-vhfp-52c9",
"modified": "2025-04-11T03:44:15Z",
"published": "2022-05-13T01:23:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1044"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=667916"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65563"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=7182afea8d1afd432a17c18162cc3fd441d0da93"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7182afea8d1afd432a17c18162cc3fd441d0da93"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2011-0927.html"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.37"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/46488"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RJP6-GJQ7-25V6
Vulnerability from github – Published: 2024-08-21 03:31 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
vhost/vsock: always initialize seqpacket_allow
There are two issues around seqpacket_allow: 1. seqpacket_allow is not initialized when socket is created. Thus if features are never set, it will be read uninitialized. 2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared, then seqpacket_allow will not be cleared appropriately (existing apps I know about don't usually do this but it's legal and there's no way to be sure no one relies on this).
To fix: - initialize seqpacket_allow after allocation - set it unconditionally in set_features
{
"affected": [],
"aliases": [
"CVE-2024-43873"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-21T01:15:11Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost/vsock: always initialize seqpacket_allow\n\nThere are two issues around seqpacket_allow:\n1. seqpacket_allow is not initialized when socket is\n created. Thus if features are never set, it will be\n read uninitialized.\n2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared,\n then seqpacket_allow will not be cleared appropriately\n (existing apps I know about don\u0027t usually do this but\n it\u0027s legal and there\u0027s no way to be sure no one relies\n on this).\n\nTo fix:\n\t- initialize seqpacket_allow after allocation\n\t- set it unconditionally in set_features",
"id": "GHSA-rjp6-gjq7-25v6",
"modified": "2025-11-04T00:31:17Z",
"published": "2024-08-21T03:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43873"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1e1fdcbdde3b7663e5d8faeb2245b9b151417d22"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3062cb100787a9ddf45de30004b962035cd497fb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/30bd4593669443ac58515e23557dc8cef70d8582"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ea558f10fb05a6503c6e655a1b7d81fdf8e5924c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eab96e8716cbfc2834b54f71cc9501ad4eec963b"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RR6C-95PP-CPGF
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-07-13 00:01report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user.
{
"affected": [],
"aliases": [
"CVE-2021-36386"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-30T14:15:00Z",
"severity": "HIGH"
},
"details": "report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user.",
"id": "GHSA-rr6c-95pp-cpgf",
"modified": "2022-07-13T00:01:30Z",
"published": "2022-05-24T19:09:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36386"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGYO5AHSXTCKA4NQC2Z4H3XMMYNAGC77"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OIXKO6QW3AUHGJVWKJXBCOVBYJUJRBFC"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202209-14"
},
{
"type": "WEB",
"url": "https://www.fetchmail.info/fetchmail-SA-2021-01.txt"
},
{
"type": "WEB",
"url": "https://www.fetchmail.info/security.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/07/28/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/08/09/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RW97-Q7V4-XHHQ
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15An information disclosure vulnerability exists in AMD Platform Security Processor (PSP) chipset driver. The discretionary access control list (DACL) may allow low privileged users to open a handle and send requests to the driver resulting in a potential data leak from uninitialized physical pages.
{
"affected": [],
"aliases": [
"CVE-2021-26333"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-21T11:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability exists in AMD Platform Security Processor (PSP) chipset driver. The discretionary access control list (DACL) may allow low privileged users to open a handle and send requests to the driver resulting in a potential data leak from uninitialized physical pages.",
"id": "GHSA-rw97-q7v4-xhhq",
"modified": "2022-05-24T19:15:23Z",
"published": "2022-05-24T19:15:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26333"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1009"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/164202/AMD-Chipset-Driver-Information-Disclosure-Memory-Leak.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Sep/24"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V3HW-WJFP-H8FP
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23net/packet/af_packet.c in the Linux kernel before 2.6.37-rc2 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures.
{
"affected": [],
"aliases": [
"CVE-2010-3876"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-01-03T20:00:00Z",
"severity": "LOW"
},
"details": "net/packet/af_packet.c in the Linux kernel before 2.6.37-rc2 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures.",
"id": "GHSA-v3hw-wjfp-h8fp",
"modified": "2022-05-13T01:23:45Z",
"published": "2022-05-13T01:23:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3876"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=649715"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=67286640f638f5ad41a946b9a3dc75327950248f"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=67286640f638f5ad41a946b9a3dc75327950248f"
},
{
"type": "WEB",
"url": "http://marc.info/?l=linux-netdev\u0026m=128854507220908\u0026w=2"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2010/11/02/10"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2010/11/02/12"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2010/11/02/7"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2010/11/02/9"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2010/11/04/5"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42789"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42890"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42963"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/46397"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2010/dsa-2126"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.37-rc2"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0958.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0004.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0007.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0162.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/520102/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/44630"
},
{
"type": "WEB",
"url": "http://www.vmware.com/security/advisories/VMSA-2011-0012.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0024"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0168"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W65R-C8RV-GRWW
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23The eql_g_master_cfg function in drivers/net/eql.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an EQL_GETMASTRCFG ioctl call.
{
"affected": [],
"aliases": [
"CVE-2010-3297"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-09-30T15:00:00Z",
"severity": "LOW"
},
"details": "The eql_g_master_cfg function in drivers/net/eql.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an EQL_GETMASTRCFG ioctl call.",
"id": "GHSA-w65r-c8rv-grww",
"modified": "2022-05-13T01:23:44Z",
"published": "2022-05-13T01:23:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3297"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=633145"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git%3Ba=commit%3Bh=44467187dc22fdd33a1a06ea0ba86ce20be3fe3c"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commit;h=44467187dc22fdd33a1a06ea0ba86ce20be3fe3c"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00003.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html"
},
{
"type": "WEB",
"url": "http://lkml.org/lkml/2010/9/11/168"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/41440"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42758"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/43161"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2010/dsa-2126"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.36-rc5"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:051"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2010/09/14/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2010/09/14/7"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0771.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/43229"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1041-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1057-1"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0070"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0280"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0298"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WMHF-M2R4-MCRP
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2024-06-21 21:33In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.reflect.ConstantPool API causes the JVM in some cases to pre-resolve certain constant pool entries. This allows a user to call static methods or access static members without running the class initialization method, and may allow a user to observe uninitialized values.
{
"affected": [],
"aliases": [
"CVE-2021-28167"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-21T18:15:00Z",
"severity": "MODERATE"
},
"details": "In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.reflect.ConstantPool API causes the JVM in some cases to pre-resolve certain constant pool entries. This allows a user to call static methods or access static members without running the class initialization method, and may allow a user to observe uninitialized values.",
"id": "GHSA-wmhf-m2r4-mcrp",
"modified": "2024-06-21T21:33:49Z",
"published": "2022-05-24T17:48:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28167"
},
{
"type": "WEB",
"url": "https://github.com/eclipse/openj9/issues/12016"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240621-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile your product with settings that generate warnings about uninitialized variables or data.
No CAPEC attack patterns related to this CWE.