Détail du CWE-460

CWE-460

Improper Cleanup on Thrown Exception
Moyen
Draft
2006-07-19
00h00 +00:00
2024-02-29
00h00 +00:00
CWE Mitre.org
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Improper Cleanup on Thrown Exception

The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.

Description du CWE

Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent the necessary cleanup from happening.

Informations générales

Modes d'introduction

Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Plateformes applicables

Langue

Name: C (Undetermined)
Name: C++ (Undetermined)
Name: Java (Undetermined)
Name: C# (Undetermined)

Conséquences courantes

Portée Impact Probabilité
OtherVaries by Context

Note: The code could be left in a bad state.

Mesures d’atténuation potentielles

Phases : Implementation
If one breaks from a loop or function by throwing an exception, make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely.

Méthodes de détection

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Efficacité : High

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Références

REF-18

The CLASP Application Security Process
Secure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf

Soumission

Nom Organisation Date Date de publication Version
CLASP 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Nom Organisation Date Commentaire
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2009-03-10 +00:00 updated Relationships
CWE Content Team MITRE 2009-05-27 +00:00 updated Description
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-06-27 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-09-13 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-05-11 +00:00 updated Relationships
CWE Content Team MITRE 2014-06-23 +00:00 updated Description, Other_Notes
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Demonstrative_Examples, Modes_of_Introduction, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2019-01-03 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2020-02-24 +00:00 updated References, Type
CWE Content Team MITRE 2021-03-15 +00:00 updated Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-02-29 +00:00 updated Demonstrative_Examples