The Servlet does not catch all exceptions, which may reveal sensitive debugging information.
View on MITREWhen a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.
Implement Exception blocks to handle all types of Exceptions.
No detection method information available for this CWE.
The following example attempts to resolve a hostname.
A DNS lookup failure will cause the Servlet to throw an exception.
CWE-600: Uncaught Exception in Servlet is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The Servlet does not catch all exceptions, which may reveal sensitive debugging information. When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.
If exploited, CWE-600 (Uncaught Exception in Servlet ) it can compromise Confidentiality and Availability, leading to outcomes such as Read Application Data and DoS: Crash, Exit, or Restart.
Recommended mitigations for CWE-600 include: Implement Exception blocks to handle all types of Exceptions.
A CWE (Common Weakness Enumeration) like CWE-600 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.