Declaration of Throws for Generic Exception (4.17) (original) (raw)
| CWE Glossary Definition |  |
|---|---|
Weakness ID: 397
Vulnerability Mapping: ALLOWED This CWE ID may be used to map to real-world vulnerabilities
Abstraction:Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.
Description
The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions.
Extended Description
Declaring a method to throw Exception or Throwable promotes generic error handling procedures that make it difficult for callers to perform proper error handling and error recovery. For example, Java's exception mechanism makes it easy for callers to anticipate what can go wrong and write code to handle each specific exceptional circumstance. Declaring that a method throws a generic form of exception defeats this system.
Common Consequences
This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
| Impact | Details |
|---|---|
| Hide Activities; Alter Execution Logic | Scope: Non-Repudiation, Other Throwing a generic exception can hide details about unexpected adversary activities by making it difficult to properly troubleshoot error conditions during execution. |
Relationships
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
Relevant to the view "Research Concepts" (View-1000)
Relevant to the view "Software Development" (View-699)
| Nature | Type | ID | Name |
|---|---|---|---|
| MemberOf |  Category - a CWE entry that contains a set of other entries that share a common characteristic. |
389 | Error Conditions, Return Values, Status Codes |
Modes Of Introduction
The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.
| Phase | Note |
|---|---|
| Implementation |
Applicable Platforms
This listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.
| Languages | C++(Undetermined Prevalence) C#(Undetermined Prevalence) Java(Undetermined Prevalence) Python(Undetermined Prevalence) |
|---|
Demonstrative Examples
Example 1
The following method throws three types of exceptions.
(good code)
Example Language: Java
public void doExchange() throws IOException, InvocationTargetException, SQLException {
...
}
While it might seem tidier to write
(bad code)
Example Language: Java
public void doExchange() throws Exception {
...
}
doing so hampers the caller's ability to understand and handle the exceptions that occur. Further, if a later revision of doExchange() introduces a new type of exception that should be treated differently than previous exceptions, there is no easy way to enforce this requirement.
Example 2
Early versions of C++ (C++98, C++03, C++11) included a feature known as Dynamic Exception Specification. This allowed functions to declare what type of exceptions it may throw. It is possible to declare a general class of exception to cover any derived exceptions that may be thrown.
(bad code)
Example Language: C++
int myfunction() throw(std::exception) {
if (0) throw out_of_range();
throw length_error();
}
In the example above, the code declares that myfunction() can throw an exception of type "std::exception" thus hiding details about the possible derived exceptions that could potentially be thrown.
Detection Methods
| Method | Details |
|---|---|
| Automated Static Analysis | Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Effectiveness: High |
Memberships
This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.
Vulnerability Mapping Notes
| Usage | ALLOWED (this CWE ID may be used to map to real-world vulnerabilities) |
|---|---|
| Reason | Acceptable-Use |
| Rationale | This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. |
| Comments | Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. |
Notes
Applicable Platform
For C++, this weakness only applies to C++98, C++03, and C++11. It relies on a feature known as Dynamic Exception Specification, which was part of early versions of C++ but was deprecated in C++11. It has been removed for C++17 and later.
Taxonomy Mappings
| Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
|---|---|---|---|
| 7 Pernicious Kingdoms | Overly-Broad Throws Declaration | ||
| The CERT Oracle Secure Coding Standard for Java (2011) | ERR07-J | Do not throw RuntimeException, Exception, or Throwable | |
| Software Fault Patterns | SFP5 | Ambiguous Exception Type | |
| OMG ASCSM | ASCSM-CWE-397 | ||
| OMG ASCRM | ASCRM-CWE-397 |
References
Content History
| Submissions |
||
|---|---|---|
| Submission Date | Submitter | Organization |
| 2006-07-19(CWE Draft 3, 2006-07-19) | 7 Pernicious Kingdoms | |
 Modifications |
||
| Modification Date | Modifier | Organization |
| 2025-04-03(CWE 4.17, 2025-04-03) | CWE Content Team | MITRE |
| updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description | ||
| 2024-02-29(CWE 4.14, 2024-02-29) | CWE Content Team | MITRE |
| updated Demonstrative_Examples | ||
| 2023-06-29 | CWE Content Team | MITRE |
| updated Mapping_Notes | ||
| 2023-04-27 | CWE Content Team | MITRE |
| updated Detection_Factors, Relationships, Time_of_Introduction | ||
| 2020-02-24 | CWE Content Team | MITRE |
| updated References | ||
| 2019-01-03 | CWE Content Team | MITRE |
| updated Applicable_Platforms, Demonstrative_Examples, References, Relationships, Taxonomy_Mappings | ||
| 2014-07-30 | CWE Content Team | MITRE |
| updated Relationships, Taxonomy_Mappings | ||
| 2012-05-11 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2011-06-01 | CWE Content Team | MITRE |
| updated Common_Consequences, Relationships, Taxonomy_Mappings | ||
| 2009-10-29 | CWE Content Team | MITRE |
| updated Description, Other_Notes | ||
| 2009-05-27 | CWE Content Team | MITRE |
| updated Demonstrative_Examples | ||
| 2009-03-10 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2008-10-14 | CWE Content Team | MITRE |
| updated Applicable_Platforms | ||
| 2008-09-24 | CWE Content Team | MITRE |
| Removed C from Applicable_Platforms | ||
| 2008-09-08 | CWE Content Team | MITRE |
| updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings | ||
| 2008-07-01 | Eric Dalci | Cigital |
| updated Time_of_Introduction | ||
| Previous Entry Names |
||
| Change Date | Previous Entry Name | |
| 2008-04-11 | Overly-Broad Throws Declaration |
More information is available — Please edit the custom filter or select a different filter.