Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-600:Uncaught Exception in Servlet
Weakness ID:600
Version:v4.17
Weakness Name:Uncaught Exception in Servlet
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The Servlet does not catch all exceptions, which may reveal sensitive debugging information.

▼Extended Description

When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

▼Alternate Terms
Missing Catch Block

▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
CanPrecedeAllowedB209Generation of Error Message Containing Sensitive Information
ChildOfAllowedB248Uncaught Exception
PeerOfAllowedB390Detection of Error Condition Without Action
Nature: CanPrecede
Mapping: Allowed
Type: Base
ID: 209
Name: Generation of Error Message Containing Sensitive Information
Nature: ChildOf
Mapping: Allowed
Type: Base
ID: 248
Name: Uncaught Exception
Nature: PeerOf
Mapping: Allowed
Type: Base
ID: 390
Name: Detection of Error Condition Without Action
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC851The CERT Oracle Secure Coding Standard for Java (2011) Chapter 8 - Exceptional Behavior (ERR)
MemberOfProhibitedC962SFP Secondary Cluster: Unchecked Status Condition
MemberOfProhibitedC1410Comprehensive Categorization: Insufficient Control Flow Management
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 851
Name: The CERT Oracle Secure Coding Standard for Java (2011) Chapter 8 - Exceptional Behavior (ERR)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 962
Name: SFP Secondary Cluster: Unchecked Status Condition
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1410
Name: Comprehensive Categorization: Insufficient Control Flow Management
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-324DoS: Crash, Exit, or Restart (impact)
MemberOfProhibitedBSBOSS-328Read Application Data (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-324
Name: DoS: Crash, Exit, or Restart (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-328
Name: Read Application Data (impact)
▼Relevant To View
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC962SFP Secondary Cluster: Unchecked Status Condition
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 962
Name: SFP Secondary Cluster: Unchecked Status Condition
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
ConfidentialityAvailabilityN/ARead Application DataDoS: Crash, Exit, or Restart
N/A
Scope: Confidentiality, Availability
Likelihood: N/A
Impact: Read Application Data, DoS: Crash, Exit, or Restart
Note:
N/A
▼Potential Mitigations
Phase:Implementation
Mitigation ID:
Strategy:
Effectiveness:
Description:

Implement Exception blocks to handle all types of Exceptions.

Note:

▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
▼Demonstrative Examples
Example 1

The following example attempts to resolve a hostname.

Language: ( code)
N/A

Language: Java(Bad code)
protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException { String ip = req.getRemoteAddr(); InetAddress addr = InetAddress.getByName(ip); ... out.println("hello " + addr.getHostName()); }

Language: ( code)
N/A

A DNS lookup failure will cause the Servlet to throw an exception.

▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      Maintenance

      The "Missing Catch Block" concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE.

      N/A

      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      The CERT Oracle Secure Coding Standard for Java (2011)ERR01-JN/ADo not allow exceptions to expose sensitive information
      Software Fault PatternsSFP4N/AUnchecked Status Condition
      Taxonomy Name: The CERT Oracle Secure Coding Standard for Java (2011)
      Entry ID: ERR01-J
      Fit: N/A
      Entry Name: Do not allow exceptions to expose sensitive information
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP4
      Fit: N/A
      Entry Name: Unchecked Status Condition
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found