|
|
|
|
CWE-392: Missing Report of Error Condition| | Missing Report of Error Condition |
|
| Weakness ID: 392 (Weakness Base) | | Status: Draft |
 Description
Description Summary The software encounters an error but does not provide a status code or return value to indicate that an error has occurred.
Time of Introduction
- Architecture and Design
- Implementation
Common Consequences | Scope | Effect |
|---|
Integrity Other | Technical Impact: Varies by context; Unexpected state Errors that are not properly reported could place the system in an
unexpected state that could lead to unintended behaviors. |
Demonstrative Examples Example 1 In the following snippet from a doPost() servlet method, the server
returns "200 OK" (default) even if an error occurs. (Bad Code) Example
Language: Java try {
// Something that may throw an exception.
...
} catch (Throwable t) {
logger.error("Caught: " + t.toString());
return;
} Observed Examples | Reference | Description |
|---|
| CVE-2004-0063 | Function returns "OK" even if another function
returns a different status code than expected, leading to accepting an
invalid PIN number. |
| CVE-2002-1446 | Error checking routine in PKCS#11 library returns
"OK" status even when invalid signature is detected, allowing spoofed
messages. |
| CVE-2002-0499 | Kernel function truncates long pathnames without
generating an error, leading to operation on wrong
directory. |
| CVE-2005-2459 | Function returns non-error value when a particular
erroneous condition is encountered, leading to resultant NULL
dereference. |
Weakness Ordinalities | Ordinality | Description |
|---|
Primary | (where
the weakness exists independent of other weaknesses) |
Resultant | (where
the weakness is typically related to the presence of some other
weaknesses) |
Relationships Taxonomy Mappings | Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
|---|
| PLOVER | | | Missing Error Status Code |
| CERT Java Secure Coding | TPS03-J | | Ensure that tasks executing in a thread pool do not fail
silently |
Content History | Submissions |
|---|
| Submission Date | Submitter | Organization | Source |
|---|
| PLOVER | | Externally Mined | | | Modifications |
|---|
| Modification Date | Modifier | Organization | Source |
|---|
| 2008-07-01 | Sean Eidemiller | Cigital | External | | added/updated demonstrative
examples | | 2008-07-01 | Eric Dalci | Cigital | External | | updated Time_of_Introduction | | 2008-09-08 | CWE Content Team | MITRE | Internal | | updated Relationships, Other_Notes,
Taxonomy_Mappings | | 2009-03-10 | CWE Content Team | MITRE | Internal | | updated Relationships | | 2009-10-29 | CWE Content Team | MITRE | Internal | | updated Other_Notes,
Weakness_Ordinalities | | 2010-12-13 | CWE Content Team | MITRE | Internal | | updated Description, Name | | 2011-06-01 | CWE Content Team | MITRE | Internal | | updated Common_Consequences, Relationships,
Taxonomy_Mappings | | 2011-06-27 | CWE Content Team | MITRE | Internal | | updated Common_Consequences | | 2012-05-11 | CWE Content Team | MITRE | Internal | | updated Common_Consequences,
Relationships | | Previous Entry Names |
|---|
| Change Date | Previous Entry
Name |
|---|
| 2008-04-11 | Missing Error Status
Code | | | 2010-12-13 | Failure to Report Error in
Status Code | |
|
