Description
The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.
Potential Impact
Other
Alter Execution Logic
Demonstrative Examples
try {...throw IllegalArgumentException();}finally {return r;}Mitigations & Prevention
Do not use a return statement inside the finally block. The finally block should have "cleanup" code.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Related Weaknesses
Taxonomy Mappings
- The CERT Oracle Secure Coding Standard for Java (2011): ERR04-J — Do not complete abruptly from a finally block
- The CERT Oracle Secure Coding Standard for Java (2011): ERR05-J — Do not let checked exceptions escape from a finally block
- Software Fault Patterns: SFP6 — Incorrect Exception Behavior
Frequently Asked Questions
What is CWE-584?
CWE-584 (Return Inside Finally Block) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.
How can CWE-584 be exploited?
Attackers can exploit CWE-584 (Return Inside Finally Block) to alter execution logic. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-584?
Key mitigations include: Do not use a return statement inside the finally block. The finally block should have "cleanup" code.
What is the severity of CWE-584?
CWE-584 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.