SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 149

changes.mady.by.user Alexandre GIGLEUX

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

...

Exceptions may inadvertently reveal sensitive information unless care is taken to limit the information disclosure.

Rule

Severity

Likelihood

Detectable

RepairableRemediation Cost

Priority

Level

ERR01-J

Medium

Probable

No

HighYes

P4P8

L3 L2

Automated Detection

SECURITYWSC, SERVLET, SECURITYESDImplemented
ToolVersionCheckerDescription
Klocwork

Include Page
Klocwork_V
Klocwork_V

SV.IL.DEV
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.ERR01.ACPST
CERT.ERR01.CETS
CERT.		ERR01.ACWDo not call the 'printStackTrace()' method of "Throwable" objects
Catch all exceptions which may be thrown within Servlet methods
Avoid writing to Consoles
SonarQube
Include Page
SonarQube_V
SonarQube_V
S1989Exceptions should not be thrown from servlet methods

Related Vulnerabilities

CVE-2009-2897 describes several cross-site scripting (XSS) vulnerabilities in several versions of SpringSource Hyperic HQ. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via invalid values for numerical parameters. They are demonstrated by an uncaught java.lang.NumberFormatException exception resulting from entering several invalid numeric parameters to the web interface.

CVE-2015-2080 describes a vulnerability in the Jetty web server, versions 9.2.3 to 9.2.8, where an illegal character passed in an HTML request causes the server to respond with an error message containing the text with the illegal character. But this error message can also contain sensitive information, such as cookies from previous web requests.

...