- What is CWE-391?
- [PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.
- What CVEs are caused by CWE-391?
- 24 recorded CVEs are attributed to CWE-391, including CVE-2024-52316, CVE-2017-12182, CVE-2017-12180.
- Is CWE-391 part of the OWASP Top 10?
- CWE-391 maps to OWASP Top Ten 2004: Improper Error Handling (A7) in the OWASP security taxonomy.
- How do you prevent CWE-391?
- The choice between a language which has named or unnamed exceptions needs to be done. While unnamed exceptions exacerbate the chance of not properly dealing with an exception, named exceptions suffer from the up call version of the weak base class problem.
- How is CWE-391 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-391?
- Exploiting CWE-391 can lead to: Varies by Context, Unexpected State, Alter Execution Logic.
- Is CWE-391 actively exploited?
- 24 recorded CVEs are caused by CWE-391; none are currently in CISA's KEV catalog of actively exploited flaws.