140 – Insecure exceptions - Empty or no catch

Description

The application does not perform proper exception handling. Empty _catch_ statements are found, or _try_ statements without their respective _catch_. This behavior can make the application temporarily or permanently unavailable by presenting errors that are not being handled.

Impact

- Generate the crash of the application due to errors that are not being taken into account. - Lose the traceability of the errors presented.

Recommendation

For every _try_ sentence define its respective _catch_ handling the exception accordingly.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

40 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): N
• Availability (VA): L
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 161 - Define secure default options
• 266 - Disable insecure functionalities
• 359 - Avoid using generic exceptions

Fixes

• Csharp
• Dart
• Go
• Java
• Python
• Ruby
• Scala
• Swift
• Typescript

Last updated

2024/02/14