A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result.
This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status code can cause the product to assume that an action is safe or correct, even when it is not.
Threat Mapped score: 0.0
Industry: Finiancial
Threat priority: Unclassified
CVE: CVE-2003-1132
DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible.
CVE: CVE-2001-1509
Hardware-specific implementation of system call causes incorrect results from geteuid.
CVE: CVE-2001-1559
Chain: System call returns wrong value (CWE-393), leading to a resultant NULL dereference (CWE-476).
CVE: CVE-2014-1266
chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).
N/A
N/A
| Phase | Note |
|---|---|
| Implementation | N/A |
Intro: In the following example, an HTTP 404 status code is returned in the event of an IOException encountered in a Java servlet. A 404 code is typically meant to indicate a non-existent resource and would be somewhat misleading in this case.
try { // something that might throw IOException ... } catch (IOException ioe) { response.sendError(SC_NOT_FOUND); }