CWE-392 Detail

CWE-392

Missing Report of Error Condition
Draft
2006-07-19
00h00 +00:00
2024-02-29
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Missing Report of Error Condition

The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.

General Informations

Modes Of Introduction

Implementation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope Impact Likelihood
Integrity
Other		Varies by Context, Unexpected State

Note: Errors that are not properly reported could place the system in an unexpected state that could lead to unintended behaviors.

Observed Examples

References Description

[REF-1374]

Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (CWE-392), thus reducing the entropy (CWE-332) and leading to generation of non-unique cryptographic keys for Bitcoin wallets (CWE-1391)

CVE-2004-0063

Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number.

CVE-2002-1446

Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.

CVE-2002-0499

Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory.

CVE-2005-2459

Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

References

REF-1374

Randstorm: You Can't Patch a House of Cards
Unciphered.
https://www.unciphered.com/blog/randstorm-you-cant-patch-a-house-of-cards

Submission

Name Organization Date Date release Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Name Organization Date Comment
Sean Eidemiller Cigital 2008-07-01 +00:00 added/updated demonstrative examples
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2009-03-10 +00:00 updated Relationships
CWE Content Team MITRE 2009-10-29 +00:00 updated Other_Notes, Weakness_Ordinalities
CWE Content Team MITRE 2010-12-13 +00:00 updated Description, Name
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-06-27 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Common_Consequences, Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Modes_of_Introduction, Relationships
CWE Content Team MITRE 2019-01-03 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Modes_of_Introduction, Relationships, Time_of_Introduction
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes, Relationships
CWE Content Team MITRE 2023-10-26 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2024-02-29 +00:00 updated Observed_Examples, References