1. Home
  2. CWE Database
  3. CWE-392
Base · Medium

CWE-392: Missing Report of Error Condition

The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.

CWE-392 · Base Level ·6 CVEs

Description

The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.

Potential Impact

Integrity, Other

Varies by Context, Unexpected State

Demonstrative Examples

In the following snippet from a doPost() servlet method, the server returns "200 OK" (default) even if an error occurs.
Bad
try {
                        
                           
                           // Something that may throw an exception.
                           ...
                     } catch (Throwable t) {logger.error("Caught: " + t.toString());return;}

Real-World CVE Examples

CVE IDDescription
CVE-2024-52316Web-based product can throw an exception during authentication but does not report the failure in the HTTP status code, allowing authentication bypass.
[REF-1374]Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (CWE-392), thus reducing the entropy (CWE-332) and leading to generat
CVE-2004-0063Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number.
CVE-2002-1446Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
CVE-2002-0499Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory.
CVE-2005-2459Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.

CWE-755: Improper Handling of Exceptional Conditions

The product does not handle or incorrectly handles an exceptional condition.

CWE-684: Incorrect Provision of Specified Functionality

The code does not function according to its published specifications, potentially leading to incorrect usage.

CWE-703: Improper Check or Handling of Exceptional Conditions

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of t...

Taxonomy Mappings

  • PLOVER: — Missing Error Status Code
  • The CERT Oracle Secure Coding Standard for Java (2011): TPS03-J — Ensure that tasks executing in a thread pool do not fail silently
  • Software Fault Patterns: SFP6 — Incorrect Exception Behavior

Frequently Asked Questions

What is CWE-392?

CWE-392 (Missing Report of Error Condition) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.

How can CWE-392 be exploited?

Attackers can exploit CWE-392 (Missing Report of Error Condition) to varies by context, unexpected state. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-392?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-392?

CWE-392 is classified as a Base-level weakness (Medium abstraction). It has been observed in 6 real-world CVEs.