Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-392: Missing Report of Error Condition

Missing Report of Error Condition
Weakness ID: 392 (Weakness Base)Status: Draft
+ Description

Description Summary

The software encounters an error but does not provide a status code or return value to indicate that an error has occurred.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



+ Common Consequences

Technical Impact: Varies by context; Unexpected state

Errors that are not properly reported could place the system in an unexpected state that could lead to unintended behaviors.

+ Demonstrative Examples

Example 1

In the following snippet from a doPost() servlet method, the server returns "200 OK" (default) even if an error occurs.

(Bad Code)
Example Language: Java 
try {
// Something that may throw an exception.
} catch (Throwable t) {
logger.error("Caught: " + t.toString());
+ Observed Examples
Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number.
Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory.
Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.
+ Weakness Ordinalities
(where the weakness exists independent of other weaknesses)
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory389Error Conditions, Return Values, Status Codes
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base684Incorrect Provision of Specified Functionality
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class703Improper Check or Handling of Exceptional Conditions
Research Concepts1000
ChildOfCategoryCategory855CERT Java Secure Coding Section 10 - Thread Pools (TPS)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOfCategoryCategory889SFP Cluster: Exception Management
Software Fault Pattern (SFP) Clusters (primary)888
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERMissing Error Status Code
CERT Java Secure CodingTPS03-JEnsure that tasks executing in a thread pool do not fail silently
+ Content History
Submission DateSubmitterOrganizationSource
Externally Mined
Modification DateModifierOrganizationSource
added/updated demonstrative examples
updated Time_of_Introduction
updated Relationships, Other_Notes, Taxonomy_Mappings
updated Relationships
updated Other_Notes, Weakness_Ordinalities
updated Description, Name
updated Common_Consequences, Relationships, Taxonomy_Mappings
updated Common_Consequences
updated Common_Consequences, Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Missing Error Status Code
2010-12-13Failure to Report Error in Status Code
Page Last Updated: June 23, 2014