1. Home
  2. CWE Database
  3. CWE-230
Variant · Low-Medium

CWE-230: Improper Handling of Missing Values

The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.

CWE-230 · Variant Level ·4 CVEs

Description

The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.

Potential Impact

Integrity

Unexpected State

Demonstrative Examples

This Android application has registered to handle a URL when sent an intent:
Bad
...
                     IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter);
                     ...
                     
                     public class UrlHandlerReceiver extends BroadcastReceiver {
                        @Overridepublic void onReceive(Context context, Intent intent) {
                              if("com.example.URLHandler.openURL".equals(intent.getAction())) {String URL = intent.getStringExtra("URLToOpen");int length = URL.length();
                                 
                                 ...
                                 }
                           }
                     }
The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.

Real-World CVE Examples

CVE IDDescription
CVE-2002-0422Blank Host header triggers resultant infoleak.
CVE-2000-1006Blank "charset" attribute in MIME header triggers crash.
CVE-2004-1504Blank parameter causes external error infoleak.
CVE-2005-2053Blank parameter causes external error infoleak.

CWE-229: Improper Handling of Values

The product does not properly handle when the expected number of values for parameters, fields, or arguments is not prov...

Taxonomy Mappings

  • PLOVER: — Missing Value Error
  • The CERT Oracle Secure Coding Standard for Java (2011): ERR08-J — Do not catch NullPointerException or any of its ancestors

Frequently Asked Questions

What is CWE-230?

CWE-230 (Improper Handling of Missing Values) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.

How can CWE-230 be exploited?

Attackers can exploit CWE-230 (Improper Handling of Missing Values) to unexpected state. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-230?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-230?

CWE-230 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 4 real-world CVEs.