CWE-600 Servlet中未捕获的异常

Uncaught Exception in Servlet

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown


The Servlet does not catch all exceptions, which may reveal sensitive debugging information.


When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.


  • cwe_Nature: ChildOf cwe_CWE_ID: 248 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: CanPrecede cwe_CWE_ID: 209 cwe_View_ID: 1000

  • cwe_Nature: PeerOf cwe_CWE_ID: 390 cwe_View_ID: 1000


范围 影响 注释
['Confidentiality', 'Availability'] ['Read Application Data', 'DoS: Crash, Exit, or Restart']




Implement Exception blocks to handle all types of Exceptions.


In the following method a DNS lookup failure will cause the Servlet to throw an exception.

bad Java

protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {
String ip = req.getRemoteAddr();
InetAddress addr = InetAddress.getByName(ip);
out.println("hello " + addr.getHostName());



映射的分类名 ImNode ID Fit Mapped Node Name
The CERT Oracle Secure Coding Standard for Java (2011) ERR01-J Do not allow exceptions to expose sensitive information
Software Fault Patterns SFP4 Unchecked Status Condition