Uncaught Exception in Servlet

Draft Variant

Structure: Simple

Description

This vulnerability occurs when a Java Servlet fails to properly catch and handle exceptions, potentially exposing sensitive system information in error messages.

Extended Description

When an unhandled exception occurs in a Servlet, the application server's default error page often returns detailed debugging information directly to the user's browser. This data is extremely valuable to attackers, as it can reveal internal system details like database queries, software versions, and file paths—effectively providing a roadmap for further exploitation. To prevent this, developers must implement comprehensive exception handling that catches all Throwable objects and returns generic, user-friendly error messages. This practice ensures that sensitive technical details remain on the server side in logs, while end-users receive only the information they need, significantly reducing the application's attack surface.

Common Consequences 1

Scope: ConfidentialityAvailability

Impact: Read Application DataDoS: Crash, Exit, or Restart

Potential Mitigations 1

Phase: Implementation

Implement Exception blocks to handle all types of Exceptions.

Demonstrative Examples 1

ID : DX-39

The following example attempts to resolve a hostname.

Code Example:Bad
Java
java

A DNS lookup failure will cause the Servlet to throw an exception.

Modes of Introduction

Implementation

Alternate Terms

Missing Catch Block

Related Weaknesses

ChildOf:

Uncaught Exception (CWE-248)

CanPrecede:

Generation of Error Message Containing Sensitive Information (CWE-209)

PeerOf:

Detection of Error Condition Without Action (CWE-390)

Taxonomy Mapping

The CERT Oracle Secure Coding Standard for Java (2011)
Software Fault Patterns

Notes

MaintenanceThe "Missing Catch Block" concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE.