Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-248 (未捕获的异常) — Vulnerability Class 156

156 vulnerabilities classified as CWE-248 (未捕获的异常). AI Chinese analysis included.

CWE-248, Uncaught Exception, represents a critical software weakness where a function throws an error that the calling code fails to handle. This oversight typically allows attackers to exploit the vulnerability by triggering specific conditions that force the application to crash, resulting in a denial of service. Alternatively, the unhandled exception may cause the system to dump detailed stack traces or internal state information to the user interface, inadvertently exposing sensitive data such as database credentials or server architecture. To mitigate this risk, developers must implement robust error handling mechanisms, ensuring that all potential exceptions are explicitly caught and managed. By using try-catch blocks and providing generic, non-revealing error messages, programmers can maintain application stability and prevent information leakage, thereby securing the software against both availability attacks and data exposure.

MITRE CWE Description
An exception is thrown from a function, but it is not caught. When an exception is not caught, it may cause the program to crash or expose sensitive information.
Common Consequences (1)
Availability, ConfidentialityDoS: Crash, Exit, or Restart, Read Application Data
An uncaught exception could cause the system to be placed in a state that could lead to a crash, exposure of sensitive information or other unintended behaviors.
Examples (2)
The following example attempts to resolve a hostname.
protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException { String ip = req.getRemoteAddr(); InetAddress addr = InetAddress.getByName(ip); ... out.println("hello " + addr.getHostName()); }
Bad · Java
The _alloca() function allocates memory on the stack. If an allocation request is too large for the available stack space, _alloca() throws an exception. If the exception is not caught, the program will crash, potentially enabling a denial of service attack. _alloca() has been deprecated as of Microsoft Visual Studio 2005(R). It has been replaced with the more secure _alloca_s().
CVE IDTitleCVSSSeverityPublished
CVE-2023-0158 Triggered crash on direct RRDP access — Krill 6.5 -2023-01-17
CVE-2023-22477 Mercurius is vulnerable to denial of service (DoS) when using subscriptions — mercurius 5.3 Medium2023-01-09
CVE-2022-3500 keylime 安全漏洞 — keylime 5.1 -2022-11-22
CVE-2022-41940 Uncaught exception in engine.io — engine.io 7.1 High2022-11-22
CVE-2022-39386 fastify-websocket vulnerable to uncaught exception via crash on malformed packet — fastify-websocket 7.5 High2022-11-08
CVE-2022-20919 Cisco IOS and IOS XE Software Common Industrial Protocol Request Denial of Service Vulnerability — Cisco IOS 8.6 High2022-09-30
CVE-2022-36046 Unexpected server crash in Next.js version 12.2.3 — next.js 5.3 Medium2022-08-31
CVE-2022-1975 Linux kernel 安全漏洞 — Linux kernel 5.5 -2022-08-31
CVE-2022-31015 Uncaught Exception (due to a data race) leads to process termination in Waitress — waitress 6.5 Medium2022-05-31
CVE-2021-41545 多款Siemens产品安全漏洞 — Desigo DXR2 7.5 -2022-05-10
CVE-2022-20761 Cisco 1000 Series Connected Grid Router Integrated Wireless Access Point Denial of Service Vulnerability — Cisco IOS 7.4 High2022-04-15
CVE-2022-20675 Multiple Cisco Security Products Simple Network Management Protocol Service Denial of Service Vulnerability — Cisco Web Security Appliance (WSA) 5.3 Medium2022-04-06
CVE-2022-24822 Denial of Service in @podium/layout and @podium/proxy — proxy 7.5 High2022-04-06
CVE-2021-33010 AVEVA System Platform Uncaught Exception — AVEVA System Platform 7.5 High2022-04-04
CVE-2021-25971 Camaleon CMS - SVG File Upload Creates DoS for Media Upload Feature — camaleon_cms 4.3 Medium2021-10-20
CVE-2021-36802 Akaunting DoS via User-Controlled 'locale' Variable — Akaunting 6.5 Medium2021-08-04
CVE-2021-32694 Malicious Android application can crash the Nextcloud Android Client — security-advisories 4.1 Medium2021-06-17
CVE-2020-15796 Siemens SIMATIC Controller Web Servers 安全漏洞 — SIMATIC ET 200SP Open Controller (incl. SIPLUS variants) 7.5 -2020-12-14
CVE-2020-6019 ValveSoftware GameNetworkingSockets 安全漏洞 — Game Networking Sockets 7.5 -2020-11-13
CVE-2020-27121 Cisco Unified Communications Manager IM and Presence Service Denial of Service Vulnerability — Cisco Unified Communications Manager IM and Presence Service 4.3 Medium2020-11-06
CVE-2020-10292 Service DoS through arbitrary pointer dereferencing on KUKA simulator — Visual Components Network License Server 2.0.8 7.5 -2020-11-06
CVE-2020-14348 Red Hat AMQ 代码问题漏洞 — AMQ 4.3 -2020-09-16
CVE-2020-10604 OSIsoft PI Data Archive 安全漏洞 — OSIsoft PI System multiple products and versions 7.5 -2020-07-24
CVE-2020-5129 SonicWall SMA100 HTTP Extraweb server 环境问题漏洞 — SMA1000 7.5 -2020-03-26
CVE-2019-6828 多款Schneider Electric产品安全漏洞 — Modicon M580 7.5 -2019-09-17
CVE-2019-6809 多款Schneider Electric产品安全漏洞 — Modicon M580 7.5 -2019-09-17
CVE-2019-6829 Schneider Electric Modicon M340和Modicon M580 安全漏洞 — Modicon M580 7.5 -2019-09-17
CVE-2019-6830 Schneider Electric Modicon M580 安全漏洞 — Modicon M580 7.5 -2019-09-17
CVE-2019-10931 SIEMENS DIGSI 4 安全漏洞 — All other SIPROTEC 5 device types with CPU variants CP300 and CP100 and the respective Ethernet communication modules 9.1 -2019-07-11
CVE-2019-10917 Siemens SIMATIC PCS 7和SIMATIC WinCC 输入验证错误漏洞 — SIMATIC PCS 7 V8.0 and earlier 8.8 -2019-05-14

Vulnerabilities classified as CWE-248 (未捕获的异常) represent 156 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.