CWE
Home > CWE List > CWE-600 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-600 Individual Dictionary Definition (Draft 9)

Failure to Catch All Exceptions (Missing Catch Block)
Weakness ID
Status: Draft

600 (Weakness Base)

Description

Summary

A Servlet fails to catch all exceptions, which may reveal sensitive debugging information.

Demonstrative
Examples

In the following method a DNS lookup failure will cause the Servlet to throw an exception.

protected void doPost (HttpServletRequest req, HttpServletResponse res)
throws IOException {
  String ip = req.getRemoteAddr();
  InetAddress addr = InetAddress.getByName(ip);
  ...
  out.println("hello " + addr.getHostName());
}

Context Notes

When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

Relationships
NatureTypeIDName
ChildOfCategoryCategory388Error Handling
ChildOfWeakness ClassWeakness ClassWeakness Class691Insufficient Control Flow Management
CanPrecedeWeakness BaseWeakness BaseWeakness Base209Error Message Information Leaks
PeerOfWeakness ClassWeakness ClassWeakness Class390Detection of Error Condition Without Action
Page Last Updated: April 22, 2008