Weakness ID: 369 Vulnerability Mapping:
ALLOWEDThis CWE ID may be used to map to real-world vulnerabilities Abstraction: BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. |
Description The product divides a value by zero. Extended Description This weakness typically occurs when an unexpected value is provided to the product, or if an error occurs that is not properly detected. It frequently occurs in calculations involving physical dimensions such as size, length, width, and height. Relationships This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Research Concepts" (CWE-1000) Nature | Type | ID | Name |
---|
ChildOf | Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. | 682 | Incorrect Calculation |
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Software Development" (CWE-699) Nature | Type | ID | Name |
---|
MemberOf | Category - a CWE entry that contains a set of other entries that share a common characteristic. | 189 | Numeric Errors |
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (CWE-1003) Nature | Type | ID | Name |
---|
ChildOf | Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. | 682 | Incorrect Calculation |
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "CISQ Quality Measures (2020)" (CWE-1305) Nature | Type | ID | Name |
---|
ChildOf | Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. | 682 | Incorrect Calculation |
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "CISQ Data Protection Measures" (CWE-1340) Nature | Type | ID | Name |
---|
ChildOf | Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. | 682 | Incorrect Calculation |
Modes Of Introduction The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase. Common Consequences This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.Scope | Impact | Likelihood |
---|
Availability
| Technical Impact: DoS: Crash, Exit, or Restart A Divide by Zero results in a crash. | |
Likelihood Of Exploit Demonstrative Examples Example 1 The following Java example contains a function to compute an average but does not validate that the input value used as the denominator is not zero. This will create an exception for attempting to divide by zero. If this error is not handled by Java exception handling, unexpected results can occur. (bad code) Example Language: Java
public int computeAverageResponseTime (int totalTime, int numRequests) { return totalTime / numRequests; }
By validating the input value used as the denominator the following code will ensure that a divide by zero error will not cause unexpected results. The following Java code example will validate the input value, output an error message, and throw an exception.
public int computeAverageResponseTime (int totalTime, int numRequests) throws ArithmeticException { if (numRequests == 0) { System.out.println("Division by zero attempted!"); throw ArithmeticException; } return totalTime / numRequests; }
Example 2 The following C/C++ example contains a function that divides two numeric values without verifying that the input value used as the denominator is not zero. This will create an error for attempting to divide by zero, if this error is not caught by the error handling capabilities of the language, unexpected results can occur. (bad code) Example Language: C
double divide(double x, double y){ return x/y; }
By validating the input value used as the denominator the following code will ensure that a divide by zero error will not cause unexpected results. If the method is called and a zero is passed as the second argument a DivideByZero error will be thrown and should be caught by the calling block with an output message indicating the error.
const int DivideByZero = 10; double divide(double x, double y){ if ( 0 == y ){ throw DivideByZero; } return x/y; } ... try{ divide(10, 0); } catch( int i ){ if(i==DivideByZero) { cerr<<"Divide by zero error"; } }
Example 3 The following C# example contains a function that divides two numeric values without verifying that the input value used as the denominator is not zero. This will create an error for attempting to divide by zero, if this error is not caught by the error handling capabilities of the language, unexpected results can occur. (bad code) Example Language: C#
int Division(int x, int y){ return (x / y); }
The method can be modified to raise, catch and handle the DivideByZeroException if the input value used as the denominator is zero.
int SafeDivision(int x, int y){ try{ return (x / y); } catch (System.DivideByZeroException dbz){ System.Console.WriteLine("Division by zero attempted!"); return 0; } }
Observed Examples Reference | Description |
| Invalid size value leads to divide by zero. |
| "Empty" content triggers divide by zero. |
| Height value of 0 triggers divide by zero. |
Detection Methods
Automated Static Analysis Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) |
Fuzzing Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. |
Memberships This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources. Vulnerability Mapping Notes Usage: ALLOWED (this CWE ID could be used to map to real-world vulnerabilities) | Reason: Acceptable-Use | Rationale: This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. | Comments: Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. |
Taxonomy Mappings Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
OWASP Top Ten 2004 | A9 | CWE More Specific | Denial of Service |
CERT C Secure Coding | FLP03-C | | Detect and handle floating point errors |
CERT C Secure Coding | INT33-C | Exact | Ensure that division and remainder operations do not result in divide-by-zero errors |
The CERT Oracle Secure Coding Standard for Java (2011) | NUM02-J | | Ensure that division and modulo operations do not result in divide-by-zero errors |
Software Fault Patterns | SFP1 | | Glitch in computation |
References Content History Submissions |
---|
Submission Date | Submitter | Organization |
---|
2008-04-11 (CWE Draft 9, 2008-04-11) | CWE Community | | Submitted by members of the CWE community to extend early CWE versions | Modifications |
---|
Modification Date | Modifier | Organization |
---|
2008-07-01 | Sean Eidemiller | Cigital | added/updated demonstrative examples | 2008-07-01 | Eric Dalci | Cigital | updated Time_of_Introduction | 2008-09-08 | CWE Content Team | MITRE | updated Common_Consequences, Description, Relationships, Other_Notes, Taxonomy_Mappings | 2008-11-24 | CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | 2009-05-27 | CWE Content Team | MITRE | updated Demonstrative_Examples | 2009-10-29 | CWE Content Team | MITRE | updated Other_Notes | 2011-06-01 | CWE Content Team | MITRE | updated Common_Consequences, Relationships, Taxonomy_Mappings | 2011-09-13 | CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | 2012-05-11 | CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | 2014-07-30 | CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | 2015-12-07 | CWE Content Team | MITRE | updated Relationships | 2017-11-08 | CWE Content Team | MITRE | updated Demonstrative_Examples, Taxonomy_Mappings | 2019-01-03 | CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | 2020-02-24 | CWE Content Team | MITRE | updated Relationships | 2020-08-20 | CWE Content Team | MITRE | updated Relationships | 2020-12-10 | CWE Content Team | MITRE | updated Relationships | 2022-10-13 | CWE Content Team | MITRE | updated References | 2023-04-27 | CWE Content Team | MITRE | updated Demonstrative_Examples, Detection_Factors, References, Relationships | 2023-06-29 | CWE Content Team | MITRE | updated Mapping_Notes |
More information is available — Please edit the custom filter or select a different filter.
|