1. Home
  2. CWE Database
  3. CWE-431
Base · Medium

CWE-431: Missing Handler

A handler is not available or implemented.

CWE-431 · Base Level ·1 CVEs ·2 Mitigations

Description

A handler is not available or implemented.

When an exception is thrown and not caught, the process has given up an opportunity to decide if a given failure or event is worth a change in execution.

Potential Impact

Other

Varies by Context

Demonstrative Examples

If a Servlet does not catch all exceptions, it may reveal debugging information that will help an adversary form a plan of attack. In the following method a DNS lookup failure will cause the Servlet to throw an exception.
Bad
protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {String ip = req.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);...out.println("hello " + addr.getHostName());}
When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker.

Mitigations & Prevention

Implementation

Handle all possible situations (e.g. error condition).

Implementation

If an operation can throw an Exception, implement a handler for that specific exception.

Real-World CVE Examples

CVE IDDescription
CVE-2022-25302SDK for OPC Unified Architecture (OPC UA) is missing a handler for when a cast fails, allowing for a crash

CWE-691: Insufficient Control Flow Management

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow c...

CWE-433: Unparsed Raw Web Content Delivery

The product stores raw content or supporting code under the web document root with an extension that is not specifically...

Taxonomy Mappings

  • PLOVER: — Missing Handler
  • Software Fault Patterns: SFP4 — Unchecked Status Condition

Frequently Asked Questions

What is CWE-431?

CWE-431 (Missing Handler) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. A handler is not available or implemented.

How can CWE-431 be exploited?

Attackers can exploit CWE-431 (Missing Handler) to varies by context. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-431?

Key mitigations include: Handle all possible situations (e.g. error condition).

What is the severity of CWE-431?

CWE-431 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.