Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-248 (未捕获的异常) — Vulnerability Class 153

153 vulnerabilities classified as CWE-248 (未捕获的异常). AI Chinese analysis included.

CWE-248, Uncaught Exception, represents a critical software weakness where a function throws an error that the calling code fails to handle. This oversight typically allows attackers to exploit the vulnerability by triggering specific conditions that force the application to crash, resulting in a denial of service. Alternatively, the unhandled exception may cause the system to dump detailed stack traces or internal state information to the user interface, inadvertently exposing sensitive data such as database credentials or server architecture. To mitigate this risk, developers must implement robust error handling mechanisms, ensuring that all potential exceptions are explicitly caught and managed. By using try-catch blocks and providing generic, non-revealing error messages, programmers can maintain application stability and prevent information leakage, thereby securing the software against both availability attacks and data exposure.

MITRE CWE Description
An exception is thrown from a function, but it is not caught. When an exception is not caught, it may cause the program to crash or expose sensitive information.
Common Consequences (1)
Availability, ConfidentialityDoS: Crash, Exit, or Restart, Read Application Data
An uncaught exception could cause the system to be placed in a state that could lead to a crash, exposure of sensitive information or other unintended behaviors.
Examples (2)
The following example attempts to resolve a hostname.
protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException { String ip = req.getRemoteAddr(); InetAddress addr = InetAddress.getByName(ip); ... out.println("hello " + addr.getHostName()); }
Bad · Java
The _alloca() function allocates memory on the stack. If an allocation request is too large for the available stack space, _alloca() throws an exception. If the exception is not caught, the program will crash, potentially enabling a denial of service attack. _alloca() has been deprecated as of Microsoft Visual Studio 2005(R). It has been replaced with the more secure _alloca_s().
CVE IDTitleCVSSSeverityPublished
CVE-2022-41940 Uncaught exception in engine.io — engine.io 7.1 High2022-11-22
CVE-2022-39386 fastify-websocket vulnerable to uncaught exception via crash on malformed packet — fastify-websocket 7.5 High2022-11-08
CVE-2022-20919 Cisco IOS and IOS XE Software Common Industrial Protocol Request Denial of Service Vulnerability — Cisco IOS 8.6 High2022-09-30
CVE-2022-36046 Unexpected server crash in Next.js version 12.2.3 — next.js 5.3 Medium2022-08-31
CVE-2022-1975 Linux kernel 安全漏洞 — Linux kernel 5.5 -2022-08-31
CVE-2022-31015 Uncaught Exception (due to a data race) leads to process termination in Waitress — waitress 6.5 Medium2022-05-31
CVE-2021-41545 多款Siemens产品安全漏洞 — Desigo DXR2 7.5 -2022-05-10
CVE-2022-20761 Cisco 1000 Series Connected Grid Router Integrated Wireless Access Point Denial of Service Vulnerability — Cisco IOS 7.4 High2022-04-15
CVE-2022-20675 Multiple Cisco Security Products Simple Network Management Protocol Service Denial of Service Vulnerability — Cisco Web Security Appliance (WSA) 5.3 Medium2022-04-06
CVE-2022-24822 Denial of Service in @podium/layout and @podium/proxy — proxy 7.5 High2022-04-06
CVE-2021-33010 AVEVA System Platform Uncaught Exception — AVEVA System Platform 7.5 High2022-04-04
CVE-2021-25971 Camaleon CMS - SVG File Upload Creates DoS for Media Upload Feature — camaleon_cms 4.3 Medium2021-10-20
CVE-2021-36802 Akaunting DoS via User-Controlled 'locale' Variable — Akaunting 6.5 Medium2021-08-04
CVE-2021-32694 Malicious Android application can crash the Nextcloud Android Client — security-advisories 4.1 Medium2021-06-17
CVE-2020-15796 Siemens SIMATIC Controller Web Servers 安全漏洞 — SIMATIC ET 200SP Open Controller (incl. SIPLUS variants) 7.5 -2020-12-14
CVE-2020-6019 ValveSoftware GameNetworkingSockets 安全漏洞 — Game Networking Sockets 7.5 -2020-11-13
CVE-2020-27121 Cisco Unified Communications Manager IM and Presence Service Denial of Service Vulnerability — Cisco Unified Communications Manager IM and Presence Service 4.3 Medium2020-11-06
CVE-2020-10292 Service DoS through arbitrary pointer dereferencing on KUKA simulator — Visual Components Network License Server 2.0.8 7.5 -2020-11-06
CVE-2020-14348 Red Hat AMQ 代码问题漏洞 — AMQ 4.3 -2020-09-16
CVE-2020-10604 OSIsoft PI Data Archive 安全漏洞 — OSIsoft PI System multiple products and versions 7.5 -2020-07-24
CVE-2020-5129 SonicWall SMA100 HTTP Extraweb server 环境问题漏洞 — SMA1000 7.5 -2020-03-26
CVE-2019-6828 多款Schneider Electric产品安全漏洞 — Modicon M580 7.5 -2019-09-17
CVE-2019-6809 多款Schneider Electric产品安全漏洞 — Modicon M580 7.5 -2019-09-17
CVE-2019-6829 Schneider Electric Modicon M340和Modicon M580 安全漏洞 — Modicon M580 7.5 -2019-09-17
CVE-2019-6830 Schneider Electric Modicon M580 安全漏洞 — Modicon M580 7.5 -2019-09-17
CVE-2019-10931 SIEMENS DIGSI 4 安全漏洞 — All other SIPROTEC 5 device types with CPU variants CP300 and CP100 and the respective Ethernet communication modules 9.1 -2019-07-11
CVE-2019-10917 Siemens SIMATIC PCS 7和SIMATIC WinCC 输入验证错误漏洞 — SIMATIC PCS 7 V8.0 and earlier 8.8 -2019-05-14
CVE-2019-6575 多款Siemens产品输入验证错误漏洞 — SIMATIC CP 443-1 OPC UA 7.5 -2019-04-17
CVE-2019-7474 SonicWall SonicOS 访问控制错误漏洞 — SonicOS 6.5 -2019-04-02
CVE-2018-11464 多款Siemens产品安全漏洞 — SINUMERIK 828D V4.7, SINUMERIK 840D sl V4.7, SINUMERIK 840D sl V4.8 7.5 -2018-12-12

Vulnerabilities classified as CWE-248 (未捕获的异常) represent 153 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.