Return of Wrong Status Code
Weakness ID: 393 (Weakness Base)Status: Draft
+ Description

Description Summary

A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.

Extended Description

This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status code can cause the software to assume that an action is safe, even when it is not.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Demonstrative Examples

Example 1

In the following example, an HTTP 404 status code is returned in the event of an IOException encountered in a Java servlet. A 404 code is typically meant to indicate a non-existent resource and would be somewhat misleading in this case.

(Bad Code)
Example Language: Java 
try {
// something that might throw IOException
...
} catch (IOException ioe) {
response.sendError(SC_NOT_FOUND);
}
+ Observed Examples
ReferenceDescription
CVE-2003-1132DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible.
CVE-2001-1509Hardware-specific implementation of system call causes incorrect results from geteuid.
CVE-2001-1559System call returns wrong value, leading to a resultant NULL dereference.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory389Error Conditions, Return Values, Status Codes
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base684Failure to Provide Specified Functionality
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class703Failure to Handle Exceptional Conditions
Research Concepts1000
+ Relationship Notes

This can be primary or resultant, but it is probably most often primary to other issues.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERWrong Status Code
+ Maintenance Notes

This probably overlaps various categories, especially those related to error handling.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Maintenance Notes, Relationships, Other Notes, Taxonomy Mappings
2008-10-14CWE Content TeamMITREInternal
updated Description
2009-03-10CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Wrong Status Code
Back to top