Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-248 (未捕获的异常) — Vulnerability Class 153

153 vulnerabilities classified as CWE-248 (未捕获的异常). AI Chinese analysis included.

CWE-248, Uncaught Exception, represents a critical software weakness where a function throws an error that the calling code fails to handle. This oversight typically allows attackers to exploit the vulnerability by triggering specific conditions that force the application to crash, resulting in a denial of service. Alternatively, the unhandled exception may cause the system to dump detailed stack traces or internal state information to the user interface, inadvertently exposing sensitive data such as database credentials or server architecture. To mitigate this risk, developers must implement robust error handling mechanisms, ensuring that all potential exceptions are explicitly caught and managed. By using try-catch blocks and providing generic, non-revealing error messages, programmers can maintain application stability and prevent information leakage, thereby securing the software against both availability attacks and data exposure.

MITRE CWE Description
An exception is thrown from a function, but it is not caught. When an exception is not caught, it may cause the program to crash or expose sensitive information.
Common Consequences (1)
Availability, ConfidentialityDoS: Crash, Exit, or Restart, Read Application Data
An uncaught exception could cause the system to be placed in a state that could lead to a crash, exposure of sensitive information or other unintended behaviors.
Examples (2)
The following example attempts to resolve a hostname.
protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException { String ip = req.getRemoteAddr(); InetAddress addr = InetAddress.getByName(ip); ... out.println("hello " + addr.getHostName()); }
Bad · Java
The _alloca() function allocates memory on the stack. If an allocation request is too large for the available stack space, _alloca() throws an exception. If the exception is not caught, the program will crash, potentially enabling a denial of service attack. _alloca() has been deprecated as of Microsoft Visual Studio 2005(R). It has been replaced with the more secure _alloca_s().
CVE IDTitleCVSSSeverityPublished
CVE-2018-11465 多款Siemens产品安全漏洞 — SINUMERIK 808D V4.7, SINUMERIK 808D V4.8, SINUMERIK 828D V4.7, SINUMERIK 840D sl V4.7, SINUMERIK 840D sl V4.8 7.8 -2018-12-12
CVE-2018-11466 多款Siemens产品安全漏洞 — SINUMERIK 808D V4.7, SINUMERIK 808D V4.8, SINUMERIK 828D V4.7, SINUMERIK 840D sl V4.7, SINUMERIK 840D sl V4.8 7.8 -2018-12-12
CVE-2016-10363 Elasticsearch Logstash 安全漏洞 — Logstash 7.5 -2017-06-16

Vulnerabilities classified as CWE-248 (未捕获的异常) represent 153 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.