CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.8)  

Presentation Filter:

CWE-392: Missing Report of Error Condition

 
Missing Report of Error Condition
Weakness ID: 392 (Weakness Base)Status: Draft
+ Description

Description Summary

The software encounters an error but does not provide a status code or return value to indicate that an error has occurred.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Integrity
Other

Technical Impact: Varies by context; Unexpected state

Errors that are not properly reported could place the system in an unexpected state that could lead to unintended behaviors.

+ Demonstrative Examples

Example 1

In the following snippet from a doPost() servlet method, the server returns "200 OK" (default) even if an error occurs.

(Bad Code)
Example Language: Java 
try {
// Something that may throw an exception.
...
} catch (Throwable t) {
logger.error("Caught: " + t.toString());
return;
}
+ Observed Examples
ReferenceDescription
Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number.
Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory.
Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.
+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
Resultant
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory389Error Conditions, Return Values, Status Codes
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base684Incorrect Provision of Specified Functionality
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class703Improper Check or Handling of Exceptional Conditions
Research Concepts1000
ChildOfCategoryCategory855CERT Java Secure Coding Section 10 - Thread Pools (TPS)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOfCategoryCategory961SFP Secondary Cluster: Incorrect Exception Behavior
Software Fault Pattern (SFP) Clusters (primary)888
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERMissing Error Status Code
CERT Java Secure CodingTPS03-JEnsure that tasks executing in a thread pool do not fail silently
Software Fault PatternsSFP6Incorrect Exception Behavior
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes, Taxonomy_Mappings
2009-03-10CWE Content TeamMITREInternal
updated Relationships
2009-10-29CWE Content TeamMITREInternal
updated Other_Notes, Weakness_Ordinalities
2010-12-13CWE Content TeamMITREInternal
updated Description, Name
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Common_Consequences, Relationships
2014-07-30CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Missing Error Status Code
2010-12-13Failure to Report Error in Status Code
Page Last Updated: July 30, 2014