CWE-600 – Uncaught Exception in Servlet

Read Time:38 Second

Description

The Servlet does not catch all exceptions, which may reveal sensitive debugging information.

When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-248
CWE-209
CWE-390

 

Consequences

Confidentiality, Availability: Read Application Data, DoS: Crash, Exit, or Restart

 

Potential Mitigations

Phase: Implementation

Description: 

Implement Exception blocks to handle all types of Exceptions.

CVE References