Uncaught Exception in Servlet
The Servlet does not catch all exceptions, which may reveal sensitive debugging information.
When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.
The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.
Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.
In the following method a DNS lookup failure will cause the Servlet to throw an exception.
This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).
This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/...
This view (slice) covers all the elements in CWE.
This view (slice) lists weaknesses that can be introduced during implementation.
This view (slice) displays only weakness base elements.