CWE-600: Uncaught Exception in Servlet

Description

The Servlet does not catch all exceptions, which may reveal sensitive debugging information.

Extended Description

When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

No observed examples available.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Read Application Data, DoS: Crash, Exit, or Restart — Notes:

Potential Mitigations

Implementation: Implement Exception blocks to handle all types of Exceptions. (N/A)

Applicable Platforms

None listed.

Demonstrative Examples

Intro: The following example attempts to resolve a hostname.

Body: A DNS lookup failure will cause the Servlet to throw an exception.

protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException { String ip = req.getRemoteAddr(); InetAddress addr = InetAddress.getByName(ip); ... out.println("hello " + addr.getHostName()); }

Notes

Maintenance: The "Missing Catch Block" concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE.

← Back to CWE list