CWE-600: Uncaught Exception in Servlet

VariantDraft

The Servlet does not catch all exceptions, which may reveal sensitive debugging information.

View on MITRE
Back to CWE Lookup

Extended Description

When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

Technical Details

Structure
Simple

Applicable To

Languages
Platforms

Frequently Asked Questions

What is CWE-600: Uncaught Exception in Servlet ?+

CWE-600: Uncaught Exception in Servlet is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The Servlet does not catch all exceptions, which may reveal sensitive debugging information. When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

What are the security consequences of Uncaught Exception in Servlet ?+

If exploited, CWE-600 (Uncaught Exception in Servlet ) it can compromise Confidentiality and Availability, leading to outcomes such as Read Application Data and DoS: Crash, Exit, or Restart.

How do you prevent or mitigate Uncaught Exception in Servlet ?+

Recommended mitigations for CWE-600 include: Implement Exception blocks to handle all types of Exceptions.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-600 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More