CWE-600: Uncaught Exception in Servlet
Description
The Servlet does not catch all exceptions, which may reveal sensitive debugging information.
Submission Date :
Dec. 15, 2006, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
MITRE
Extended Description
When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.
Example - 1
The following example attempts to resolve a hostname. A DNS lookup failure will cause the Servlet to throw an exception.
String ip = req.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);...out.println("hello " + addr.getHostName());protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {}
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.