Uncaught ExceptionID: 248 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
An exception is thrown from a function, but it is not
caught.
Extended DescriptionWhen an exception is not caught, it may cause the program to crash or
expose sensitive information.
Applicable PlatformsLanguage: C++Language: JavaLanguage: .NET
Time Of Introduction
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
AvailabilityConfidentiality | DoS: crash / exit /
restartRead application
data | An uncaught exception could cause the system to be placed in a state
that could lead to a crash, exposure of sensitive information or other
unintended behaviors. |
Detection MethodsNone
Potential MitigationsNone
Relationships
Related CWE | Type | View | Chain |
---|
CWE-248 ChildOf CWE-889 | Category | CWE-888 | |
Demonstrative Examples (Details)
- EnterCriticalSection() can raise an exception, potentially causing
the program to crash. Under operating systems prior to Windows 2000, the
EnterCriticalSection() function can raise an exception in low memory
situations. If the exception is not caught, the program will crash,
potentially enabling a denial of service attack.
- In the following method a DNS lookup failure will cause the Servlet
to throw an exception. (Demonstrative Example Id DX-39)
- The _alloca() function allocates memory on the stack. If an
allocation request is too large for the available stack space, _alloca()
throws an exception. If the exception is not caught, the program will crash,
potentially enabling a denial of service attack. _alloca() has been
deprecated as of Microsoft Visual Studio 2005(R). It has been replaced with
the more secure _alloca_s().
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
7 Pernicious Kingdoms | | Often Misused: Exception Handling | |
CERT Java Secure Coding | ERR05-J | Do not let checked exceptions escape from a finally
block | |
CERT Java Secure Coding | ERR06-J | Do not throw undeclared checked exceptions | |
References:None