Error Conditions, Return Values, Status Codes

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.


Declaration of Catch for Generic Exception

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Declaration of Throws for Generic Exception

Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Detection of Error Condition Without Action

The software detects a specific error, but takes no actions to handle the error.

Empty Exception Block

An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.

Generation of Error Message Containing Sensitive Information

The software generates an error message that includes sensitive information about its environment, users, or associated data.

Incorrect Check of Function Return Value

The software incorrectly checks a return value from a function, which prevents the software from detecting errors or exceptional conditions.

Missing Custom Error Page

The software does not return custom error pages to the user, possibly exposing sensitive information.

Missing Report of Error Condition

The software encounters an error but does not provide a status code or return value to indicate that an error has occurred.

Missing Standardized Error Handling Mechanism

The software does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses.

Reachable Assertion

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe th...

Return Inside Finally Block

The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.

Return of Wrong Status Code

A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the in...

Uncaught Exception

An exception is thrown from a function, but it is not caught.

Uncaught Exception in Servlet

The Servlet does not catch all exceptions, which may reveal sensitive debugging information.

Unchecked Error Condition

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

Unchecked Return Value

The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

Unexpected Status Code or Return Value

The software does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the software.

Use of NullPointerException Catch to Detect NULL Pointer Dereference

Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.


Software Development

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.