logo

Missing Handler

Draft Base
Structure: Simple
Description

This vulnerability occurs when a software component lacks the necessary code to properly handle an error or unexpected event.

Extended Description

Missing handlers leave your application vulnerable to crashes and unpredictable behavior. When an error is thrown and there's no specific code to catch and manage it, the program can't gracefully recover or decide how to proceed, often leading to a complete termination or exposing internal details. To prevent this, developers should implement structured exception handling around risky operations. This means anticipating potential points of failure—like network calls, file operations, or data parsing—and defining clear, secure responses for each scenario to maintain application stability and security.
Common Consequences 1
Scope: Other

Impact: Varies by Context
Potential Mitigations 2
Phase: Implementation
Handle all possible situations (e.g. error condition).
Phase: Implementation
If an operation can throw an Exception, implement a handler for that specific exception.
Demonstrative Examples 1
If a Servlet does not catch all exceptions, it may reveal debugging information that will help an adversary form a plan of attack. In the following method a DNS lookup failure will cause the Servlet to throw an exception.

Code Example:

Bad
Java
java
When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker.
Observed Examples 1
CVE-2022-25302SDK for OPC Unified Architecture (OPC UA) is missing a handler for when a cast fails, allowing for a crash
References 1
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Insufficient Control Flow Management (CWE-691)
CanPrecede: Unparsed Raw Web Content Delivery (CWE-433)
Taxonomy Mapping
  • PLOVER
  • Software Fault Patterns