Category: The CERT Oracle Secure Coding Standard for Java (2011) Chapter 8 - Exceptional Behavior (ERR)
Obsolete
Summary
Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-209 | Generation of Error Message Containing Sensitive Information | This vulnerability occurs when an application reveals sensitive details about its internal systems, user data, or environment within error messages shown to users. |
| CWE-230 | Improper Handling of Missing Values | This vulnerability occurs when software fails to properly check for or handle missing data values. It happens when a parameter, field, or argument name is provided, but its corresponding value is empty, blank, or null, and the system doesn't manage this absence safely. |
| CWE-232 | Improper Handling of Undefined Values | This vulnerability occurs when software fails to properly check for or handle undefined, null, or unsupported values passed to parameters, configuration fields, or function arguments. Instead of rejecting or safely converting these values, the system proceeds with an unexpected state, often leading to crashes or security flaws. |
| CWE-248 | Uncaught Exception | This vulnerability occurs when a function throws an error or exception, but the calling code does not have a proper handler to catch and manage it. |
| CWE-382 | J2EE Bad Practices: Use of System.exit() | This vulnerability occurs when a J2EE application directly calls System.exit(), which forcibly terminates the entire application server process, not just the application itself. |
| CWE-390 | Detection of Error Condition Without Action | This weakness occurs when software successfully identifies an error condition but then fails to take any meaningful action to address it. The error is detected but ignored, leaving the system in an inconsistent or vulnerable state. |
| CWE-395 | Use of NullPointerException Catch to Detect NULL Pointer Dereference | Using a try-catch block for NullPointerException as a substitute for proper null checks is an anti-pattern. This approach masks the root cause of null pointer dereferences instead of preventing them, leading to unstable and difficult-to-debug code. |
| CWE-397 | Declaration of Throws for Generic Exception | This vulnerability occurs when a method is declared to throw an overly broad exception type, such as a generic 'Exception' or 'Throwable'. This practice masks the specific error conditions that can occur, making it difficult for calling code to handle failures appropriately. |
| CWE-460 | Improper Cleanup on Thrown Exception | This vulnerability occurs when a program fails to properly restore its state or release resources after an exception is thrown, leaving the application in an inconsistent or unexpected condition. |
| CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | This vulnerability occurs when an application unintentionally reveals sensitive details about its underlying system, such as file paths, software versions, or environment data, to users who should not have access to that information. |
| CWE-584 | Return Inside Finally Block | This vulnerability occurs when a function places a return statement inside a finally block. This dangerous pattern silently discards any unhandled exceptions thrown earlier in the try block, making errors invisible and undermining application stability. |
| CWE-600 | Uncaught Exception in Servlet | This vulnerability occurs when a Java Servlet fails to properly catch and handle exceptions, potentially exposing sensitive system information in error messages. |
| CWE-690 | Unchecked Return Value to NULL Pointer Dereference | This vulnerability occurs when a program calls a function that can return a NULL pointer to signal failure, but the code does not check for this error condition before using the returned value, leading to a crash or unexpected behavior from dereferencing the NULL pointer. |
| CWE-703 | Improper Check or Handling of Exceptional Conditions | This vulnerability occurs when software fails to properly plan for or manage rare but possible error scenarios, leaving it unprepared for unexpected events that can disrupt normal operation. |
| CWE-705 | Incorrect Control Flow Scoping | This vulnerability occurs when a program fails to return execution to the correct point in the code after finishing a specific operation or handling an error. Instead of resuming normal flow, it may jump to an unintended location, leading to unpredictable behavior or security issues. |
| CWE-844 | Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011) | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.