CWE-600: Uncaught Exception in Servlet
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The Servlet does not catch all exceptions, which may reveal sensitive debugging information.
扩展描述
When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.
常见后果
影响范围: Confidentiality Availability
技术影响: Read Application Data DoS: Crash, Exit, or Restart
潜在缓解措施
阶段: Implementation
描述: Implement Exception blocks to handle all types of Exceptions.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| The CERT Oracle Secure Coding Standard for Java (2011) | ERR01-J | Do not allow exceptions to expose sensitive information | - |
| Software Fault Patterns | SFP4 | Unchecked Status Condition | - |