CWE-248 未捕获的异常

Uncaught Exception

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

基本描述

An exception is thrown from a function, but it is not caught.

扩展描述

When an exception is not caught, it may cause the program to crash or expose sensitive information.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 705 cwe_View_ID: 1000 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 703 cwe_View_ID: 1000

适用平台

Language: [{'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C#', 'cwe_Prevalence': 'Undetermined'}]

常见的影响

示例代码

例

The following example attempts to resolve a hostname.

bad Java

A DNS lookup failure will cause the Servlet to throw an exception.

例

The _alloca() function allocates memory on the stack. If an allocation request is too large for the available stack space, _alloca() throws an exception. If the exception is not caught, the program will crash, potentially enabling a denial of service attack. _alloca() has been deprecated as of Microsoft Visual Studio 2005(R). It has been replaced with the more secure _alloca_s().

例

EnterCriticalSection() can raise an exception, potentially causing the program to crash. Under operating systems prior to Windows 2000, the EnterCriticalSection() function can raise an exception in low memory situations. If the exception is not caught, the program will crash, potentially enabling a denial of service attack.

分类映射

文章来源于互联网:scap中文网