CWE 392

Failure to Report Error in Status Code

Weakness ID: 392 (Weakness Base)

Status: Draft

Description

Description Summary

The software encounters an error but does not return a status code or return value to indicate that an error has occurred.

Time of Introduction

Applicable Platforms

Languages

All

Demonstrative Examples

Example 1

In the following snippet from a doPost() servlet method, the server returns "200 OK" (default) even if an error occurs.

(Bad Code)

Example Language: Java

try {

// Something that may throw an exception.

...

} catch (Throwable t) {

logger.error("Caught: " + t.toString());

return;

}

Observed Examples

Reference	Description
CVE-2004-0063	Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number.
CVE-2002-1446	Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
CVE-2002-0499	Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory.
CVE-2005-2459	Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)
Resultant	(where the weakness is typically related to the presence of some other weaknesses)

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	389	Error Conditions, Return Values, Status Codes	Development Concepts (primary)699
ChildOf	Weakness Base	684	Failure to Provide Specified Functionality	Research Concepts (primary)1000
ChildOf	Weakness Class	703	Failure to Handle Exceptional Conditions	Research Concepts1000

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Missing Error Status Code

Content History

Submissions
Submission Date	Submitter	Organization	Source
	PLOVER		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Sean Eidemiller	Cigital	External
2008-07-01	added/updated demonstrative examples
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time of Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Relationships, Other Notes, Taxonomy Mappings
2009-03-10	CWE Content Team	MITRE	Internal
2009-03-10	updated Relationships
2009-10-29	CWE Content Team	MITRE	Internal
2009-10-29	updated Other Notes, Weakness Ordinalities
Previous Entry Names
Change Date	Previous Entry Name
2008-04-11	Missing Error Status Code