CWE-392 错误条件报告缺失

Missing Report of Error Condition

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown


The software encounters an error but does not provide a status code or return value to indicate that an error has occurred.


  • cwe_Nature: ChildOf cwe_CWE_ID: 684 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 703 cwe_View_ID: 1000


Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}


范围 影响 注释
['Integrity', 'Other'] ['Varies by Context', 'Unexpected State'] Errors that are not properly reported could place the system in an unexpected state that could lead to unintended behaviors.


In the following snippet from a doPost() servlet method, the server returns "200 OK" (default) even if an error occurs.

bad Java

try {

// Something that may throw an exception.
} catch (Throwable t) {
logger.error("Caught: " + t.toString());


标识 说明 链接
CVE-2004-0063 Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number.
CVE-2002-1446 Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
CVE-2002-0499 Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory.
CVE-2005-2459 Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.


映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Missing Error Status Code
The CERT Oracle Secure Coding Standard for Java (2011) TPS03-J Ensure that tasks executing in a thread pool do not fail silently
Software Fault Patterns SFP6 Incorrect Exception Behavior