VNX-536 – Servlet Runtime Error Message Containing Sensitive Information

Overview

Java Servlets that catch exceptions and write stack traces or raw exception messages to the HTTP response expose internal implementation details — class names, method signatures, file paths, and line numbers — that attackers use to target follow-on exploits.

Severity: Medium | CWE: CWE-536 – Servlet Runtime Error Message Containing Sensitive Information

Why This Matters

A stack trace tells an attacker exactly what framework versions, libraries, and code paths exist. It reveals SQL queries, file paths, and configuration details. Error details are routinely exploited in reconnaissance phases of targeted attacks.

What Gets Flagged

// FLAGGED: Stack trace written to response
try {
    doSomething();
} catch (Exception e) {
    response.getWriter().println(e.getStackTrace());
    // or: response.getWriter().println(e.getMessage());
}

Remediation

Log exceptions server-side and return a generic error to the client:

// SAFE: Log internally, return generic message
try {
    doSomething();
} catch (Exception e) {
    logger.error("Operation failed", e);  // Log with full details
    response.setStatus(500);
    response.getWriter().println("{\"error\": \"An internal error occurred\"}");
}

Configure a custom error page in web.xml to catch unhandled exceptions.

References

• CWE-536
• OWASP Error Handling Cheat Sheet