CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-392: Missing Report of Error Condition

 
Missing Report of Error Condition
Weakness ID: 392 (Weakness Base)Status: Draft
+ Description

Description Summary

The software encounters an error but does not provide a status code or return value to indicate that an error has occurred.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect

Technical Impact: Varies by context; Unexpected state

Errors that are not properly reported could place the system in an unexpected state that could lead to unintended behaviors.

+ Demonstrative Examples

Example 1

In the following snippet from a doPost() servlet method, the server returns "200 OK" (default) even if an error occurs.

(Bad Code)
Example Language: Java 
try {
// Something that may throw an exception.
...
} catch (Throwable t) {
logger.error("Caught: " + t.toString());
return;
}
+ Observed Examples
ReferenceDescription
Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number.
Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory.
Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.
+ Weakness Ordinalities
OrdinalityDescription
(where the weakness exists independent of other weaknesses)
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory389Error Conditions, Return Values, Status Codes
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base684Incorrect Provision of Specified Functionality
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class703Improper Check or Handling of Exceptional Conditions
Research Concepts1000
ChildOfCategoryCategory855CERT Java Secure Coding Section 10 - Thread Pools (TPS)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOfCategoryCategory889SFP Cluster: Exception Management
Software Fault Pattern (SFP) Clusters (primary)888
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERMissing Error Status Code
CERT Java Secure CodingTPS03-JEnsure that tasks executing in a thread pool do not fail silently
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
added/updated demonstrative examples
2008-07-01CigitalExternal
updated Time_of_Introduction
2008-09-08MITREInternal
updated Relationships, Other_Notes, Taxonomy_Mappings
2009-03-10MITREInternal
updated Relationships
2009-10-29MITREInternal
updated Other_Notes, Weakness_Ordinalities
2010-12-13MITREInternal
updated Description, Name
2011-06-01MITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-06-27MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated Common_Consequences, Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Missing Error Status Code
2010-12-13Failure to Report Error in Status Code
Page Last Updated: June 23, 2014