Failure to Report Error in Status Code
Weakness ID: 392 (Weakness Base)Status: Draft
+ Description

Description Summary

The software encounters an error but does not return a status code or return value to indicate that an error has occurred.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



+ Demonstrative Examples

Example 1

In the following snippet from a doPost() servlet method, the server returns "200 OK" (default) even if an error occurs.

(Bad Code)
Example Language: Java 
try {
// Something that may throw an exception.
} catch (Throwable t) {
logger.error("Caught: " + t.toString());
+ Observed Examples
CVE-2004-0063Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number.
CVE-2002-1446Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
CVE-2002-0499Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory.
CVE-2005-2459Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.
+ Weakness Ordinalities
(where the weakness exists independent of other weaknesses)
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory389Error Conditions, Return Values, Status Codes
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base684Failure to Provide Specified Functionality
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class703Failure to Handle Exceptional Conditions
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERMissing Error Status Code
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Taxonomy Mappings
2009-03-10CWE Content TeamMITREInternal
updated Relationships
2009-10-29CWE Content TeamMITREInternal
updated Other Notes, Weakness Ordinalities
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Missing Error Status Code