{"@ID": "703", "@Name": "Improper Check or Handling of Exceptional Conditions", "@Abstraction": "Pillar", "@Structure": "Simple", "@Status": "Incomplete", "@Diagram": "/data/images/CWE-703-Diagram.png", "Description": "The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.", "Weakness_Ordinalities": {"Weakness_Ordinality": [{"Ordinality": "Primary"}, {"Ordinality": "Resultant"}]}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": {"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation", "Note": "REALIZATION: This weakness is caused during implementation of an architectural security tactic."}, {"Phase": "Operation"}]}, "Common_Consequences": {"Consequence": {"Scope": ["Confidentiality", "Availability", "Integrity"], "Impact": ["Read Application Data", "DoS: Crash, Exit, or Restart", "Unexpected State"]}}, "Detection_Methods": {"Detection_Method": [{"Method": "Dynamic Analysis with Manual Results Interpretation", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": ["Highly cost effective:", "Cost effective for partial coverage:"], "xhtml:ul": [{"xhtml:li": ["Fault Injection - source code", "Fault Injection - binary"]}, {"xhtml:li": "Forced Path Execution"}]}}, "Effectiveness": "High"}, {"Method": "Manual Static Analysis - Source Code", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": ["Highly cost effective:", "Cost effective for partial coverage:"], "xhtml:ul": [{"xhtml:li": "Manual Source Code Review (not inspections)"}, {"xhtml:li": "Focused Manual Spotcheck - Focused manual analysis of source"}]}}, "Effectiveness": "High"}, {"Method": "Automated Static Analysis - Source Code", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": "Cost effective for partial coverage:", "xhtml:ul": {"xhtml:li": ["Source code Weakness Analyzer", "Context-configured Source Code Weakness Analyzer"]}}}, "Effectiveness": "SOAR Partial"}, {"Method": "Architecture or Design Review", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": "Highly cost effective:", "xhtml:ul": {"xhtml:li": ["Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)", "Formal Methods / Correct-By-Construction"]}}}, "Effectiveness": "High"}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-7", "Intro_Text": "Consider the following code segment:", "Example_Code": {"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:br": [null, null], "#text": "char buf[10], cp_buf[10];fgets(buf, 10, stdin);strcpy(cp_buf, buf);"}}, "Body_Text": "The programmer expects that when fgets() returns, buf will contain a null-terminated string of length 9 or less. But if an I/O error occurs, fgets() will not null-terminate buf. Furthermore, if the end of the file is reached before any characters are read, fgets() returns without writing anything to buf. In both of these situations, fgets() signals that something unusual has happened by returning NULL, but in this code, the warning will not be noticed. The lack of a null terminator in buf can result in a buffer overflow in the subsequent call to strcpy()."}, {"@Demonstrative_Example_ID": "DX-198", "Intro_Text": "The following method throws three types of exceptions.", "Example_Code": [{"@Nature": "Good", "@Language": "Java", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "#text": "..."}, "#text": "public void doExchange() throws IOException, InvocationTargetException, SQLException {}"}}, {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "#text": "..."}, "#text": "public void doExchange() throws Exception {}"}}], "Body_Text": ["While it might seem tidier to write", "doing so hampers the caller's ability to understand and handle the exceptions that occur. Further, if a later revision of doExchange() introduces a new type of exception that should be treated differently than previous exceptions, there is no easy way to enforce this requirement."]}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "[REF-1374]", "Description": "Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (CWE-392), thus reducing the entropy (CWE-332) and leading to generation of non-unique cryptographic keys for Bitcoin wallets (CWE-1391)", "Link": "https://www.unciphered.com/blog/randstorm-you-cant-patch-a-house-of-cards"}, {"Reference": "CVE-2022-22224", "Description": "Chain: an operating system does not properly process malformed Open Shortest Path First (OSPF) Type/Length/Value Identifiers (TLV) (CWE-703), which can cause the process to enter an infinite loop (CWE-835)", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-22224"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": {"@Taxonomy_Name": "The CERT Oracle Secure Coding Standard for Java (2011)", "Entry_ID": "ERR06-J", "Entry_Name": "Do not throw undeclared checked exceptions"}}, "References": {"Reference": [{"@External_Reference_ID": "REF-567"}, {"@External_Reference_ID": "REF-568"}, {"@External_Reference_ID": "REF-44", "@Section": "\"Sin 8: C++ Catastrophes.\" Page 143"}, {"@External_Reference_ID": "REF-1374"}, {"@External_Reference_ID": "REF-1479"}]}, "Mapping_Notes": {"Usage": "Discouraged", "Rationale": "This CWE entry is extremely high-level, a Pillar.", "Comments": "Consider children or descendants of this entry instead.", "Reasons": {"Reason": {"@Type": "Abstraction"}}}, "Notes": {"Note": {"@Type": "Relationship", "#text": "This is a high-level class that might have some overlap with other classes. It could be argued that even \"normal\" weaknesses such as buffer overflows involve unusual or exceptional conditions. In that sense, this might be an inherent aspect of most other weaknesses within CWE, similar to API Abuse (CWE-227) and Indicator of Poor Code Quality (CWE-398). However, this entry is currently intended to unify disparate concepts that do not have other places within the Research Concepts view (CWE-1000)."}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2008-09-09", "Submission_Version": "1.0", "Submission_ReleaseDate": "2008-09-09", "Submission_Comment": "Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0."}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-03-10", "Modification_Version": "1.3", "Modification_ReleaseDate": "2009-03-10", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-10-29", "Modification_Version": "1.6", "Modification_ReleaseDate": "2009-10-29", "Modification_Comment": "updated Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-12-13", "Modification_Version": "1.11", "Modification_ReleaseDate": "2010-12-13", "Modification_Comment": "updated Name, Relationship_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-27", "Modification_Version": "2.0", "Modification_ReleaseDate": "2011-06-27", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-09-13", "Modification_Version": "2.1", "Modification_ReleaseDate": "2011-09-13", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated References, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Detection_Factors, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-01-19", "Modification_Version": "2.10", "Modification_ReleaseDate": "2017-01-19", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Applicable_Platforms, Relationships, Type"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-12-10", "Modification_Version": "4.3", "Modification_ReleaseDate": "2020-12-10", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-07-20", "Modification_Version": "4.5", "Modification_ReleaseDate": "2021-07-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-04-28", "Modification_Version": "4.7", "Modification_ReleaseDate": "2022-04-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-02-29", "Modification_Version": "4.14", "Modification_ReleaseDate": "2024-02-29", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-04-03", "Modification_Version": "4.17", "Modification_ReleaseDate": "2025-04-03", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated Detection_Factors, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Diagram, Relationships, Weakness_Ordinalities"}], "Previous_Entry_Name": {"@Date": "2010-12-13", "#text": "Failure to Handle Exceptional Conditions"}}}
