Information Exposure Through Servlet Runtime Error Message| ID: 536 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Variant |
Description
A servlet error message indicates that there exists an
unhandled exception in your web application code and may provide useful
information to an attacker.
Applicable PlatformsNone
Time Of Introduction
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Confidentiality | Read application
data | The error message may contain the location of the file in which the
offending function is located. This may disclose the web root's absolute
path as well as give the attacker the location of application files or
configuration information. It may even disclose the portion of code that
failed. In many cases, an attacker can use the data to launch further
attacks against the system. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| | | Do not expose sensitive error information to the user. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-536 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following servlet code does not catch runtime exceptions,
meaning that if such an exception were to occur, the container may display
potentially dangerous information (such as a full stack trace).
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| Anonymous Tool Vendor (under NDA) | | | |
References:None
