Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-600: Uncaught Exception in Servlet

Weakness ID: 600
Abstraction: Base
Status: Draft
Presentation Filter:
+ Description

Description Summary

The Servlet does not catch all exceptions, which may reveal sensitive debugging information.

Extended Description

When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

+ Alternate Terms
Missing Catch Block
+ Time of Introduction
  • Implementation
+ Common Consequences

Technical Impact: Read application data; DoS: crash / exit / restart

+ Demonstrative Examples

Example 1

In the following method a DNS lookup failure will cause the Servlet to throw an exception.

(Bad Code)
Example Language: Java 
protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {
String ip = req.getRemoteAddr();
InetAddress addr = InetAddress.getByName(ip);
out.println("hello " + addr.getHostName());
+ Potential Mitigations

Phase: Implementation

Implement Exception blocks to handle all types of Exceptions.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base248Uncaught Exception
Research Concepts (primary)1000
ChildOfCategoryCategory388Error Handling
Development Concepts (primary)699
ChildOfCategoryCategory851CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOfCategoryCategory962SFP Secondary Cluster: Unchecked Status Condition
Software Fault Pattern (SFP) Clusters (primary)888
CanPrecedeWeakness BaseWeakness Base209Information Exposure Through an Error Message
Research Concepts1000
PeerOfWeakness ClassWeakness Class390Detection of Error Condition Without Action
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CERT Java Secure CodingERR01-JDo not allow exceptions to expose sensitive information
Software Fault PatternsSFP4Unchecked Status Condition
+ Maintenance Notes

The "Missing Catch Block" concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE.

+ Content History
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes
2009-03-10CWE Content TeamMITREInternal
updated Alternate_Terms, Description, Maintenance_Notes, Name, Other_Notes, Relationships
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative_Examples
2010-12-13CWE Content TeamMITREInternal
updated Description, Name
2011-03-29CWE Content TeamMITREInternal
updated Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2012-05-11CWE Content TeamMITREInternal
updated Demonstrative_Examples, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Missing Catch Block
2009-03-10Failure to Catch All Exceptions (Missing Catch Block)
2010-12-13Failure to Catch All Exceptions in Servlet

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017