...
Exceptions may inadvertently reveal sensitive information unless care is taken to limit the information disclosure.
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
ERR01-J | Medium | Probable | No | YesHigh | P4P8 | L3 L2 |
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Klocwork |
| SV.IL.DEV | |||||||
| Parasoft Jtest |
| CERT.ERR01.ACPST CERT.ERR01.CETS CERT.ERR01.ACW | Do not call the 'printStackTrace()' method of "Throwable" objects Catch all exceptions which may be thrown within Servlet methods Avoid writing to Consoles | ||||||
| SonarQube |
| S1989 | Exceptions should not be thrown from servlet methods |
...
CVE-2015-2080 describes a vulnerability in the Jetty web server, versions 9.2.3 to 9.2.8, where an illegal character passed in an HTML request causes the server to respond with an error message containing the text with the illegal character. But this error message can also contain sensitive information, such as cookies from previous web requests.
...