CWE-392: Missing Report of Error Condition
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.
常见后果
影响范围: Integrity Other
技术影响: Varies by Context Unexpected State
说明: Errors that are not properly reported could place the system in an unexpected state that could lead to unintended behaviors.
观察示例
参考: [REF-1374]
Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (CWE-392), thus reducing the entropy (CWE-332) and leading to generation of non-unique cryptographic keys for Bitcoin wallets (CWE-1391)
参考: CVE-2004-0063
Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number.
参考: CVE-2002-1446
Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
参考: CVE-2002-0499
Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory.
参考: CVE-2005-2459
Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Missing Error Status Code | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | TPS03-J | Ensure that tasks executing in a thread pool do not fail silently | - |
| Software Fault Patterns | SFP6 | Incorrect Exception Behavior | - |