CWE-232: Improper Handling of Undefined Values

Description

The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2000-1003

Client crash when server returns unknown driver type.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Unexpected State — Notes:

Potential Mitigations

None listed.

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: In this example, an address parameter is read and trimmed of whitespace.

Body: If the value of the address parameter is null (undefined), the servlet will throw a NullPointerException when the trim() is attempted.

String address = request.getParameter("address"); address = address.trim(); String updateString = "UPDATE shippingInfo SET address='?' WHERE email='[email protected]'"; emailAddress = con.prepareStatement(updateString); emailAddress.setString(1, address);

Notes

No notes available.

← Back to CWE list