CWE-232: Improper Handling of Undefined Values

Description

The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.

Potential Impact

Integrity

Unexpected State

Demonstrative Examples

In this example, an address parameter is read and trimmed of whitespace.

Bad

String address = request.getParameter("address");address = address.trim();String updateString = "UPDATE shippingInfo SET address='?' WHERE email='[email protected]'";emailAddress = con.prepareStatement(updateString);emailAddress.setString(1, address);

If the value of the address parameter is null (undefined), the servlet will throw a NullPointerException when the trim() is attempted.

Real-World CVE Examples

CVE ID	Description
CVE-2000-1003	Client crash when server returns unknown driver type.

Taxonomy Mappings

PLOVER: — Undefined Value Error
The CERT Oracle Secure Coding Standard for Java (2011): ERR08-J — Do not catch NullPointerException or any of its ancestors

Frequently Asked Questions

What is CWE-232?

CWE-232 (Improper Handling of Undefined Values) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.

How can CWE-232 be exploited?

Attackers can exploit CWE-232 (Improper Handling of Undefined Values) to unexpected state. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-232?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-232?

CWE-232 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 1 real-world CVEs.