The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions.
View on MITREDeclaring a method to throw Exception or Throwable promotes generic error handling procedures that make it difficult for callers to perform proper error handling and error recovery. For example, Java's exception mechanism makes it easy for callers to anticipate what can go wrong and write code to handle each specific exceptional circumstance. Declaring that a method throws a generic form of exception defeats this system.
Throwing a generic exception can hide details about unexpected adversary activities by making it difficult to properly troubleshoot error conditions during execution.
No mitigation information available for this CWE.
No detection method information available for this CWE.
The following method throws three types of exceptions.
While it might seem tidier to write
The following method throws three types of exceptions.
While it might seem tidier to write
Early versions of C++ (C++98, C++03, C++11) included a feature known as Dynamic Exception Specification. This allowed functions to declare what type of exceptions it may throw. It is possible to declare a general class of exception to cover any derived exceptions that may be thrown.
In the example above, the code declares that myfunction() can throw an exception of type "std::exception" thus hiding details about the possible derived exceptions that could potentially be thrown.
CWE-397: Declaration of Throws for Generic Exception is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions. Declaring a method to throw Exception or Throwable promotes generic error handling procedures that make it difficult for callers to perform proper error handling and error recovery. For example, Java's exception mechanism makes it easy for callers to anticipate what can go wrong and write code to handle each specific exceptional circumstance. Declaring that a method throws a generic form of exception defeats this system.
If exploited, CWE-397 (Declaration of Throws for Generic Exception) it can compromise Non-Repudiation and Other, leading to outcomes such as Hide Activities and Alter Execution Logic.
CWE-397 commonly affects C++, C#, Java and Python. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-397 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.