CWE-703: Improper Check or Handling of Exceptional Conditions
Official CWE-703 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.
Glexia's Take
CWE-703: Improper Check or Handling of Exceptional Conditions
Improper Check or Handling of Exceptional Conditions represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Confidentiality,Availability,Integrity: Read Application Data,DoS: Crash, Exit, or Restart,Unexpected State
Developer Pattern
CWE-703 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Confidence
high confidence from CWE-703, 4.20.
Official CWE Definition
CWE-703: Improper Check or Handling of Exceptional Conditions
The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- Consider the following code segment: The programmer expects that when fgets() returns, buf will contain a null-terminated string of length 9 or less. But if an I/O error occurs, fgets() will not null-terminate buf. Furthermore, if the end of the file is reached before any characters are read, fgets() returns without writing anything to buf. In both of these situations, fgets() signals that something unusual has happened by returning NULL, but in this code, the warning will not be noticed. The lack of a null terminator in buf can result in a buffer overflow in the subsequent call to strcpy().
- The following method throws three types of exceptions. While it might seem tidier to write,doing so hampers the caller's ability to understand and handle the exceptions that occur. Further, if a later revision of doExchange() introduces a new type of exception that should be treated differently than previous exceptions, there is no easy way to enforce this requirement.
Remediation
- Use safe APIs
- Centralize the control
- Add regression tests
- Review logs and telemetry for attempted abuse
Detection
- Dynamic Analysis with Manual Results Interpretation: [object Object]
- Manual Static Analysis - Source Code: [object Object]
- Automated Static Analysis - Source Code: [object Object]
- Architecture or Design Review: [object Object]
Mappings
Related CVEs, CWEs, and ATT&CK context
Related CWEs
- CWE-1384: Improper Handling of Physical or Environmental Conditions
- CWE-228: Improper Handling of Syntactically Invalid Structure
- CWE-248: Uncaught Exception
- CWE-248: Uncaught Exception
- CWE-391: Unchecked Error Condition
- CWE-391: Unchecked Error Condition
- CWE-392: Missing Report of Error Condition
- CWE-392: Missing Report of Error Condition
- CWE-393: Return of Wrong Status Code
- CWE-397: Declaration of Throws for Generic Exception
- CWE-754: Improper Check for Unusual or Exceptional Conditions
- CWE-755: Improper Handling of Exceptional Conditions
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.