Skip to main content

Technical information leak - Stacktrace

Description

Errors or exceptional events are not properly handled by the application allowing an attacker to disclose technical information from system error traces:

Impact

Exhibit technical information of the system.

Recommendation

  • Remove functions that print technical information such as PrintStacktrace from the source code

  • Handle errors with typified exceptions and store them in duly protected logs

Threat

Internal attacker with access to the server console.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: U
  • Report confidence: R

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:R
  • Score:
    • Base: 4.3
    • Temporal: 3.9
  • Severity:
    • Base: Medium
    • Temporal: Low

Code Examples

Compliant code

The application correctly handles exceptions without using print functions that leak technical information

public class Test {
public static void main(String[ ] args) {
try {
//Code to handle data that could result in an exception
} catch (IndexException e) {
if (e.toString() == "Error"){
return Exception("Error message")
}
}
}
}

Non compliant code

The application uses stacktrace functions that could potentially print sensitive information

public class Test {
public static void main(String[ ] args) {
try {
//Code to handle data that could result in an exception
} catch (IndexException e) {
if (e.toString() == "Error"){
System.out.println("Error");
}
e.printStackTrace();
}
}
}

Requirements