Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-230:Improper Handling of Missing Values
Weakness ID:230
Version:v4.17
Weakness Name:Improper Handling of Missing Values
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.

▼Extended Description

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowedB229Improper Handling of Values
Nature: ChildOf
Mapping: Allowed
Type: Base
ID: 229
Name: Improper Handling of Values
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC851The CERT Oracle Secure Coding Standard for Java (2011) Chapter 8 - Exceptional Behavior (ERR)
MemberOfProhibitedC993SFP Secondary Cluster: Incorrect Input Handling
MemberOfProhibitedC1407Comprehensive Categorization: Improper Neutralization
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 851
Name: The CERT Oracle Secure Coding Standard for Java (2011) Chapter 8 - Exceptional Behavior (ERR)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 993
Name: SFP Secondary Cluster: Incorrect Input Handling
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1407
Name: Comprehensive Categorization: Improper Neutralization
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-315Unexpected State (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-315
Name: Unexpected State (impact)
▼Relevant To View
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC993SFP Secondary Cluster: Incorrect Input Handling
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 993
Name: SFP Secondary Cluster: Incorrect Input Handling
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
IntegrityN/AUnexpected State
N/A
Scope: Integrity
Likelihood: N/A
Impact: Unexpected State
Note:
N/A
▼Potential Mitigations
▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
Example 1

This Android application has registered to handle a URL when sent an intent:

Language: ( code)
N/A

Language: Java(Bad code)
...* IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL"); MyReceiver receiver = new MyReceiver(); registerReceiver(receiver, filter); *...* public class UrlHandlerReceiver extends BroadcastReceiver { @Override public void onReceive(Context context, Intent intent) { if("com.example.URLHandler.openURL".equals(intent.getAction())) { String URL = intent.getStringExtra("URLToOpen"); int length = URL.length(); ...* }}}

Language: ( code)
N/A

The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.

▼Observed Examples
ReferenceDescription
CVE-2002-0422
Blank Host header triggers resultant infoleak.
CVE-2000-1006
Blank "charset" attribute in MIME header triggers crash.
CVE-2004-1504
Blank parameter causes external error infoleak.
CVE-2005-2053
Blank parameter causes external error infoleak.
Reference: CVE-2002-0422
Description:
Blank Host header triggers resultant infoleak.
Reference: CVE-2000-1006
Description:
Blank "charset" attribute in MIME header triggers crash.
Reference: CVE-2004-1504
Description:
Blank parameter causes external error infoleak.
Reference: CVE-2005-2053
Description:
Blank parameter causes external error infoleak.
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      Research Gap

      Some "crash by port scan" bugs are probably due to this, but lack of diagnosis makes it difficult to be certain.

      N/A

      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      PLOVERN/AN/AMissing Value Error
      The CERT Oracle Secure Coding Standard for Java (2011)ERR08-JN/ADo not catch NullPointerException or any of its ancestors
      Taxonomy Name: PLOVER
      Entry ID: N/A
      Fit: N/A
      Entry Name: Missing Value Error
      Taxonomy Name: The CERT Oracle Secure Coding Standard for Java (2011)
      Entry ID: ERR08-J
      Fit: N/A
      Entry Name: Do not catch NullPointerException or any of its ancestors
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found