1. Home
  2. CWE Database
  3. CWE-397
Base · Medium

CWE-397: Declaration of Throws for Generic Exception

The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions.

CWE-397 · Base Level

Description

The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions.

Declaring a method to throw Exception or Throwable promotes generic error handling procedures that make it difficult for callers to perform proper error handling and error recovery. For example, Java's exception mechanism makes it easy for callers to anticipate what can go wrong and write code to handle each specific exceptional circumstance. Declaring that a method throws a generic form of exception defeats this system.

Potential Impact

Non-Repudiation, Other

Hide Activities, Alter Execution Logic

Demonstrative Examples

The following method throws three types of exceptions.
Good
public void doExchange() throws IOException, InvocationTargetException, SQLException {...}
While it might seem tidier to write
Bad
public void doExchange() throws Exception {...}
doing so hampers the caller's ability to understand and handle the exceptions that occur. Further, if a later revision of doExchange() introduces a new type of exception that should be treated differently than previous exceptions, there is no easy way to enforce this requirement.
Early versions of C++ (C++98, C++03, C++11) included a feature known as Dynamic Exception Specification. This allowed functions to declare what type of exceptions it may throw. It is possible to declare a general class of exception to cover any derived exceptions that may be thrown.
Bad
int myfunction() throw(std::exception) {if (0) throw out_of_range();throw length_error();}
In the example above, the code declares that myfunction() can throw an exception of type "std::exception" thus hiding details about the possible derived exceptions that could potentially be thrown.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-705: Incorrect Control Flow Scoping

The product does not properly return control flow to the proper location after it has completed a task or detected an un...

CWE-221: Information Loss or Omission

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or...

CWE-703: Improper Check or Handling of Exceptional Conditions

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of t...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Overly-Broad Throws Declaration
  • The CERT Oracle Secure Coding Standard for Java (2011): ERR07-J — Do not throw RuntimeException, Exception, or Throwable
  • Software Fault Patterns: SFP5 — Ambiguous Exception Type
  • OMG ASCSM: ASCSM-CWE-397 —
  • OMG ASCRM: ASCRM-CWE-397 —

Frequently Asked Questions

What is CWE-397?

CWE-397 (Declaration of Throws for Generic Exception) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions.

How can CWE-397 be exploited?

Attackers can exploit CWE-397 (Declaration of Throws for Generic Exception) to hide activities, alter execution logic. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-397?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-397?

CWE-397 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.