Description
A servlet error message indicates that there exists an unhandled exception in the web application code and may provide useful information to an attacker.
Potential Impact
Confidentiality
Read Application Data
Demonstrative Examples
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter("username");
// May cause unchecked NullPointerException.
if (username.length() < 10) {...}
}Related Weaknesses
Frequently Asked Questions
What is CWE-536?
CWE-536 (Servlet Runtime Error Message Containing Sensitive Information) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. A servlet error message indicates that there exists an unhandled exception in the web application code and may provide useful information to an attacker.
How can CWE-536 be exploited?
Attackers can exploit CWE-536 (Servlet Runtime Error Message Containing Sensitive Information) to read application data. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-536?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-536?
CWE-536 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.