CWE - CWE-392: Failure to Report Error in Status Code (1.0.1)

Home > CWE List > CWE- Individual Dictionary Definition (1.0.1)

CWE-392: Failure to Report Error in Status Code

Individual Definition in a New Window

Failure to Report Error in Status Code

Status: Draft

Weakness ID: 392 (Weakness Base)

Description

Summary

The software encounters an error but does not return a status code or return value to indicate that an error has occurred.

Demonstrative Examples

In the following snippet from a doPost() servlet method, the server returns "200 OK" (default) even if an error occurs.

Java Example:

try {

// Something that may throw an exception.

...

} catch (Throwable t) {

logger.error("Caught: " + t.toString());

return;

}

Observed Examples

Reference	Description
CVE-2002-0499	Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory.
CVE-2002-1446	Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
CVE-2004-0063	Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number.
CVE-2005-2459	Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.

Other Notes

May be primary or resultant.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Base	684	Failure to Provide Specified Functionality	Research Concepts (primary)1000
ChildOf	Category	389	Error Conditions, Return Values, Status Codes	Development Concepts (primary)699

Taxonomy Mappings

Mapped Taxonomy Name	Mapped Node Name
PLOVER	Missing Error Status Code

Applicable Platforms

Languages

All

Time of Introduction

Architecture and Design

Implementation

Content History

Submissions

PLOVER. (Externally Mined)

Modifications

Sean Eidemiller. Cigital. 2008-07-01. (External)

added/updated demonstrative examples

Eric Dalci. Cigital. 2008-07-01. (External)

updated Time_of_Introduction

CWE Content Team. MITRE. 2008-09-08. (Internal)

updated Relationships, Other_Notes, Taxonomy_Mappings

Previous Entry Names

Missing Error Status Code (changed 2008-04-11)

Page Last Updated: October 16, 2008


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us