VariantDraft

CWE-600Uncaught Exception in Servlet

Category: other

Description

The Servlet does not catch all exceptions, which may reveal sensitive debugging information. When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

Common consequences· 1

  • Confidentiality / Availability — Read Application Data, DoS: Crash, Exit, or Restart

Potential mitigations· 1

  • [Implementation]Implement Exception blocks to handle all types of Exceptions.

References

  1. https://cwe.mitre.org/data/definitions/600.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Servlet Runtime Error Message Containing Sensitive Information
CWE
Uncaught Exception
CWE
Java Runtime Error Message Containing Sensitive Information
CWE
Exposure of Information Through Shell Error Message
CWE
J2EE Misconfiguration: Missing Custom Error Page
CWE
SQL Injection: Hibernate
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.