Category: SFP Secondary Cluster: Incorrect Exception Behavior
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-392 | Missing Report of Error Condition | The product encounters an error but does not provide a status code or return value to indicate that an error has occurred. |
| CWE-393 | Return of Wrong Status Code | A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result. |
| CWE-455 | Non-exit on Failed Initialization | The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator. |
| CWE-460 | Improper Cleanup on Thrown Exception | The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. |
| CWE-544 | Missing Standardized Error Handling Mechanism | The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses. |
| CWE-584 | Return Inside Finally Block | The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded. |
| CWE-636 | Not Failing Securely ('Failing Open') | When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. |
| CWE-703 | Improper Check or Handling of Exceptional Conditions | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.