1. Home
  2. CWE Database
  3. CWE-396
Base · Medium

CWE-396: Declaration of Catch for Generic Exception

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

CWE-396 · Base Level

Description

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Multiple catch blocks can get ugly and repetitive, but "condensing" catch blocks by catching a high-level class like Exception can obscure exceptions that deserve special treatment or that should not be caught at this point in the program. Catching an overly broad exception essentially defeats the purpose of a language's typed exceptions, and can become particularly dangerous if the program grows and begins to throw new types of exceptions. The new exception types will not receive any attention.

Potential Impact

Non-Repudiation, Other

Hide Activities

Demonstrative Examples

The following code excerpt handles three types of exceptions in an identical fashion.
Good
try {doExchange();}catch (IOException e) {logger.error("doExchange failed", e);}catch (InvocationTargetException e) {
                        
                           logger.error("doExchange failed", e);
                     }catch (SQLException e) {
                        
                           logger.error("doExchange failed", e);
                     }
At first blush, it may seem preferable to deal with these exceptions in a single catch block, as follows:
Bad
try {doExchange();}catch (Exception e) {logger.error("doExchange failed", e);}
However, if doExchange() is modified to throw a new type of exception that should be handled in some different kind of way, the broad catch block will prevent the compiler from pointing out the situation. Further, the new catch block will now also handle exceptions derived from RuntimeException such as ClassCastException, and NullPointerException, which is not the programmer's intent.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-705: Incorrect Control Flow Scoping

The product does not properly return control flow to the proper location after it has completed a task or detected an un...

CWE-755: Improper Handling of Exceptional Conditions

The product does not handle or incorrectly handles an exceptional condition.

CWE-221: Information Loss or Omission

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Overly-Broad Catch Block
  • Software Fault Patterns: SFP5 — Ambiguous Exception Type
  • OMG ASCSM: ASCSM-CWE-396 —
  • OMG ASCRM: ASCRM-CWE-396 —

Frequently Asked Questions

What is CWE-396?

CWE-396 (Declaration of Catch for Generic Exception) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

How can CWE-396 be exploited?

Attackers can exploit CWE-396 (Declaration of Catch for Generic Exception) to hide activities. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-396?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-396?

CWE-396 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.