1. Home
  2. CWE Database
  3. CWE-600
Variant · Low-Medium

CWE-600: Uncaught Exception in Servlet

The Servlet does not catch all exceptions, which may reveal sensitive debugging information.

CWE-600 · Variant Level ·1 Mitigations

Description

The Servlet does not catch all exceptions, which may reveal sensitive debugging information.

When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

Potential Impact

Confidentiality, Availability

Read Application Data, DoS: Crash, Exit, or Restart

Demonstrative Examples

The following example attempts to resolve a hostname.
Bad
protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {String ip = req.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);...out.println("hello " + addr.getHostName());}
A DNS lookup failure will cause the Servlet to throw an exception.

Mitigations & Prevention

Implementation

Implement Exception blocks to handle all types of Exceptions.

CWE-248: Uncaught Exception

An exception is thrown from a function, but it is not caught.

CWE-209: Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated d...

CWE-390: Detection of Error Condition Without Action

The product detects a specific error, but takes no actions to handle the error.

Taxonomy Mappings

  • The CERT Oracle Secure Coding Standard for Java (2011): ERR01-J — Do not allow exceptions to expose sensitive information
  • Software Fault Patterns: SFP4 — Unchecked Status Condition

Frequently Asked Questions

What is CWE-600?

CWE-600 (Uncaught Exception in Servlet) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The Servlet does not catch all exceptions, which may reveal sensitive debugging information.

How can CWE-600 be exploited?

Attackers can exploit CWE-600 (Uncaught Exception in Servlet) to read application data, dos: crash, exit, or restart. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-600?

Key mitigations include: Implement Exception blocks to handle all types of Exceptions.

What is the severity of CWE-600?

CWE-600 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.