Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-248 (未捕获的异常) — Vulnerability Class 153

153 vulnerabilities classified as CWE-248 (未捕获的异常). AI Chinese analysis included.

CWE-248, Uncaught Exception, represents a critical software weakness where a function throws an error that the calling code fails to handle. This oversight typically allows attackers to exploit the vulnerability by triggering specific conditions that force the application to crash, resulting in a denial of service. Alternatively, the unhandled exception may cause the system to dump detailed stack traces or internal state information to the user interface, inadvertently exposing sensitive data such as database credentials or server architecture. To mitigate this risk, developers must implement robust error handling mechanisms, ensuring that all potential exceptions are explicitly caught and managed. By using try-catch blocks and providing generic, non-revealing error messages, programmers can maintain application stability and prevent information leakage, thereby securing the software against both availability attacks and data exposure.

MITRE CWE Description
An exception is thrown from a function, but it is not caught. When an exception is not caught, it may cause the program to crash or expose sensitive information.
Common Consequences (1)
Availability, ConfidentialityDoS: Crash, Exit, or Restart, Read Application Data
An uncaught exception could cause the system to be placed in a state that could lead to a crash, exposure of sensitive information or other unintended behaviors.
Examples (2)
The following example attempts to resolve a hostname.
protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException { String ip = req.getRemoteAddr(); InetAddress addr = InetAddress.getByName(ip); ... out.println("hello " + addr.getHostName()); }
Bad · Java
The _alloca() function allocates memory on the stack. If an allocation request is too large for the available stack space, _alloca() throws an exception. If the exception is not caught, the program will crash, potentially enabling a denial of service attack. _alloca() has been deprecated as of Microsoft Visual Studio 2005(R). It has been replaced with the more secure _alloca_s().
CVE IDTitleCVSSSeverityPublished
CVE-2024-28835 Gnutls: potential crash during chain building/verification 5.0 Medium2024-03-21
CVE-2023-3966 Openvswsitch: ovs-vswitch fails to recover after malformed geneve metadata packet — openvswitch 7.5 High2024-02-22
CVE-2023-6640 Silicon Labs PC Controller v5.54.0 and Earlier Denial of Service Vulnerability — PC Controller 6.5 Medium2024-02-21
CVE-2023-6533 Silicon Labs PC Controller Denial of Service Vulnerability — PC Controller 6.5 Medium2024-02-21
CVE-2024-21983 Denial of Service Vulnerability in StorageGRID (formerly StorageGRID Webscale) — StorageGRID 6.5 Medium2024-02-16
CVE-2023-27318 Denial of Service Vulnerability in StorageGRID (formerly StorageGRID Webscale) — StorageGRID (formerly StorageGRID Webscale) 6.5 Medium2024-02-05
CVE-2023-5310 Z-Wave Denial of Service caused by Stream of Packets — Gecko SDK 5.7 Medium2023-12-15
CVE-2023-20086 Cisco Firepower Threat Defense和Cisco ASA 安全漏洞 — Cisco Adaptive Security Appliance (ASA) Software 8.6 High2023-11-01
CVE-2023-46239 quic-go vulnerable to pointer dereference that can lead to panic — quic-go 7.5 High2023-10-31
CVE-2023-46135 Panic in SignedPayload::from_payload — rs-stellar-strkey 5.3 Medium2023-10-25
CVE-2023-25526 NVIDIA Cumulus Linux 安全漏洞 — Cumulus Linux 6.5 Medium2023-09-20
CVE-2023-42447 blurhash panics on parsing crafted inputs — blurhash-rs 8.6 High2023-09-19
CVE-2023-42444 phonenumber panics on parsing crafted RF3966 inputs — rust-phonenumber 8.6 High2023-09-19
CVE-2023-4785 Denial of Service in gRPC Core — gRPC 7.5 High2023-09-13
CVE-2023-23774 Motorola MBTS Site Controller 安全漏洞 — EBTS/MBTS Base Radio 8.4 High2023-08-29
CVE-2023-39948 Uncaught fastcdr exception (Unexpected CDR type received) crashing fastdds — Fast-DDS 7.5 High2023-08-11
CVE-2023-39945 Malformed serialized data in a data submessage leads to unhandled exception — Fast-DDS 8.2 High2023-08-11
CVE-2023-3774 Vault Enterprise Namespace Creation May Lead to Denial of Service — Vault Enterprise 4.9 Medium2023-07-28
CVE-2023-38504 Sails DoS vulnerability for apps with sockets enabled — sails 7.5 High2023-07-27
CVE-2023-1691 Huawei HarmonyOS 安全漏洞 — HarmonyOS 7.5 -2023-07-06
CVE-2023-3405 Denial of service condition in M-Files Server — M-Files Server 7.5 High2023-06-27
CVE-2023-31125 Uncaught exception in engine.io — engine.io 6.5 Medium2023-05-08
CVE-2023-2251 Uncaught Exception in eemeli/yaml — eemeli/yaml 7.8 -2023-04-24
CVE-2023-29520 Page render failure due to broken translations in xwiki-platform — xwiki-platform 4.3 Medium2023-04-18
CVE-2023-22941 Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon — Splunk Enterprise 6.5 Medium2023-02-14
CVE-2023-0790 Uncaught Exception in thorsten/phpmyfaq — thorsten/phpmyfaq 7.6 High2023-02-12
CVE-2023-23932 Specially crafted RTPS message may cause an OpenDDS application to crash — OpenDDS 5.3 Medium2023-02-03
CVE-2023-0158 Triggered crash on direct RRDP access — Krill 6.5 -2023-01-17
CVE-2023-22477 Mercurius is vulnerable to denial of service (DoS) when using subscriptions — mercurius 5.3 Medium2023-01-09
CVE-2022-3500 keylime 安全漏洞 — keylime 5.1 -2022-11-22

Vulnerabilities classified as CWE-248 (未捕获的异常) represent 153 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.