CWE-600: Uncaught Exception in Servlet

Description

The Servlet does not catch all exceptions, which may reveal sensitive debugging information.

Submission Date :

Dec. 15, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

Example Vulnerable Codes

Example - 1

The following example attempts to resolve a hostname.


String ip = req.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);...out.println("hello " + addr.getHostName());protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {}

A DNS lookup failure will cause the Servlet to throw an exception.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-209: Generation of Error Message Containing Sensitive Information
Go to
CWE-248: Uncaught Exception
Go to
CWE-390: Detection of Error Condition Without Action
Go to

Visit http://cwe.mitre.org/ for more details.