Category: The CERT Oracle Secure Coding Standard for Java (2011) Chapter 8 - Exceptional Behavior (ERR)
Obsolete
Summary
Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-209 | Generation of Error Message Containing Sensitive Information | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
| CWE-230 | Improper Handling of Missing Values | The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null. |
| CWE-232 | Improper Handling of Undefined Values | The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name. |
| CWE-248 | Uncaught Exception | An exception is thrown from a function, but it is not caught. |
| CWE-382 | J2EE Bad Practices: Use of System.exit() | A J2EE application uses System.exit(), which also shuts down its container. |
| CWE-390 | Detection of Error Condition Without Action | The product detects a specific error, but takes no actions to handle the error. |
| CWE-395 | Use of NullPointerException Catch to Detect NULL Pointer Dereference | Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer. |
| CWE-397 | Declaration of Throws for Generic Exception | The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions. |
| CWE-460 | Improper Cleanup on Thrown Exception | The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. |
| CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
| CWE-584 | Return Inside Finally Block | The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded. |
| CWE-600 | Uncaught Exception in Servlet | The Servlet does not catch all exceptions, which may reveal sensitive debugging information. |
| CWE-690 | Unchecked Return Value to NULL Pointer Dereference | The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. |
| CWE-703 | Improper Check or Handling of Exceptional Conditions | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. |
| CWE-705 | Incorrect Control Flow Scoping | The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition. |
| CWE-844 | Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011) | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.