Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-396 (对通用异常声明Catch语句) — Vulnerability Class 2

2 vulnerabilities classified as CWE-396 (对通用异常声明Catch语句). AI Chinese analysis included.

CWE-396 represents a coding weakness where developers catch overly broad exception types, such as the generic Exception class, rather than specific error types. This practice obscures critical error details, making it difficult to distinguish between expected runtime issues and unexpected security-related failures. Attackers typically exploit this by triggering specific vulnerabilities that generate exceptions, which are then silently swallowed or mishandled by the generic catch block. This lack of granular error handling can lead to information disclosure, denial of service, or unintended state changes. To avoid this weakness, developers should implement precise exception handling by catching only the specific exceptions they intend to manage. This approach ensures that unexpected errors propagate correctly, allowing for proper logging, debugging, and secure failure responses, thereby maintaining the integrity and stability of the application.

MITRE CWE Description
Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. Multiple catch blocks can get ugly and repetitive, but "condensing" catch blocks by catching a high-level class like Exception can obscure exceptions that deserve special treatment or that should not be caught at this point in the program. Catching an overly broad exception essentially defeats the purpose of a language's typed exceptions, and can become particularly dangerous if the program grows and begins to throw new types of exceptions. The new exception types will not receive any attention.
Common Consequences (1)
Non-Repudiation, OtherHide Activities
A generic exception can hide details about unexpected adversary activities by making it difficult to properly troubleshoot error conditions during execution.
Examples (1)
The following code excerpt handles three types of exceptions in an identical fashion.
try { doExchange(); } catch (IOException e) { logger.error("doExchange failed", e); } catch (InvocationTargetException e) { logger.error("doExchange failed", e); } catch (SQLException e) { logger.error("doExchange failed", e); }
Good · Java
try { doExchange(); } catch (Exception e) { logger.error("doExchange failed", e); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-40149 PraisonAI has an Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls — PraisonAI 7.9 High2026-04-09
CVE-2026-27482 Ray: Dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion) — ray 5.9 Medium2026-02-21

Vulnerabilities classified as CWE-396 (对通用异常声明Catch语句) represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.