CWE-248: Uncaught Exception

Description

An exception is thrown from a function, but it is not caught.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

When an exception is not caught, it may cause the program to crash or expose sensitive information.

Example Vulnerable Codes

Example - 1

The following example attempts to resolve a hostname.


String ip = req.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);...out.println("hello " + addr.getHostName());protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {}

A DNS lookup failure will cause the Servlet to throw an exception.

Example - 2

The _alloca() function allocates memory on the stack. If an allocation request is too large for the available stack space, _alloca() throws an exception. If the exception is not caught, the program will crash, potentially enabling a denial of service attack. _alloca() has been deprecated as of Microsoft Visual Studio 2005(R). It has been replaced with the more secure _alloca_s().

Example - 3

EnterCriticalSection() can raise an exception, potentially causing the program to crash. Under operating systems prior to Windows 2000, the EnterCriticalSection() function can raise an exception in low memory situations. If the exception is not caught, the program will crash, potentially enabling a denial of service attack.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-600: Uncaught Exception in Servlet
Go to
CWE-703: Improper Check or Handling of Exceptional Conditions
Go to
CWE-705: Incorrect Control Flow Scoping
Go to
CWE-755: Improper Handling of Exceptional Conditions
Go to

Visit http://cwe.mitre.org/ for more details.