Description

An exception is thrown from a function, but it is not caught.

Extended Description

When an exception is not caught, it may cause the program to crash or expose sensitive information.

Applicable Platforms
Language: C++
Language: Java
Language: .NET

Time Of Introduction

• Implementation

Related Attack Patterns

• CAPEC-54

Common Consequences

Detection Methods
None

Potential Mitigations
None

Relationships

Demonstrative Examples   (Details)

1. EnterCriticalSection() can raise an exception, potentially causing the program to crash. Under operating systems prior to Windows 2000, the EnterCriticalSection() function can raise an exception in low memory situations. If the exception is not caught, the program will crash, potentially enabling a denial of service attack.
2. In the following method a DNS lookup failure will cause the Servlet to throw an exception. (Demonstrative Example Id DX-39)
3. The _alloca() function allocates memory on the stack. If an allocation request is too large for the available stack space, _alloca() throws an exception. If the exception is not caught, the program will crash, potentially enabling a denial of service attack. _alloca() has been deprecated as of Microsoft Visual Studio 2005(R). It has been replaced with the more secure _alloca_s().

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

References:
None