CWE-393 返回错误的状态编码

Return of Wrong Status Code

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown


A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.


This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status code can cause the software to assume that an action is safe, even when it is not.


  • cwe_Nature: ChildOf cwe_CWE_ID: 684 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 703 cwe_View_ID: 1000


Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}


范围 影响 注释
['Integrity', 'Other'] ['Unexpected State', 'Alter Execution Logic'] This weakness could place the system in a state that could lead unexpected logic to be executed or other unintended behaviors.


In the following example, an HTTP 404 status code is returned in the event of an IOException encountered in a Java servlet. A 404 code is typically meant to indicate a non-existent resource and would be somewhat misleading in this case.

bad Java

try {

// something that might throw IOException
} catch (IOException ioe) {


标识 说明 链接
CVE-2003-1132 DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible.
CVE-2001-1509 Hardware-specific implementation of system call causes incorrect results from geteuid.
CVE-2001-1559 System call returns wrong value, leading to a resultant NULL dereference.
CVE-2014-1266 chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing man-in-the-middle attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint ('Man-in-the-Middle')).


Relationship This can be primary or resultant, but it is probably most often primary to other issues. Maintenance This probably overlaps various categories, especially those related to error handling.


映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Wrong Status Code
Software Fault Patterns SFP6 Incorrect Exception Behavior