Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1023 (缺失要素致使对比不完全) — Vulnerability Class 5

5 vulnerabilities classified as CWE-1023 (缺失要素致使对比不完全). AI Chinese analysis included.

CWE-1023 represents a logical flaw where software evaluates entities using an incomplete set of criteria, ignoring critical factors necessary for accurate determination. Attackers typically exploit this by manipulating inputs to satisfy the partial comparison while violating the missing conditions, thereby bypassing access controls or validation logic. For instance, a system might verify a user’s role but neglect to check account status, allowing disabled accounts to proceed. To mitigate this risk, developers must rigorously identify all relevant attributes required for secure decision-making during the design phase. Implementing comprehensive validation routines that explicitly check every necessary factor ensures that comparisons are holistic. Additionally, employing formal verification methods and thorough code reviews can help detect these subtle omissions, ensuring that security decisions rely on a complete and accurate assessment of all entity characteristics.

MITRE CWE Description
The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.
Common Consequences (1)
Integrity, Access ControlAlter Execution Logic, Bypass Protection Mechanism
An incomplete comparison can lead to resultant weaknesses, e.g., by operating on the wrong object or making a security decision without considering a required factor.
Examples (2)
Consider an application in which Truck objects are defined to be the same if they have the same make, the same model, and were manufactured in the same year.
public class Truck { private String make; private String model; private int year; public boolean equals(Object o) { if (o == null) return false; if (o == this) return true; if (!(o instanceof Truck)) return false; Truck t = (Truck) o; return (this.make.equals(t.getMake()) && this.model.equals(t.getModel())); } }
Bad · Java
This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.
/* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */ char *username = "admin"; char *pass = "password"; int AuthenticateUser(char *inUser, char *inPass) { if (strncmp(username, inUser, strlen(inUser))) { logEvent("Auth failure of username using strlen of inUser"); return(AUTH_FAIL); } if (! strncmp(pass, inPass, strlen(inPass))) { logEvent("Auth success of password using strlen of inUser"); return(AUTH_SUCCESS); } else { logEvent("Auth fail of password using sizeof"); return(AUTH_FAIL); } } int main (int argc, char **argv) { int a
Bad · C
p pa pas pass
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2026-4599 jsrsasign 安全漏洞 — jsrsasign 9.1 Critical2026-03-23
CVE-2025-62000 BullWall Ransomware Containment incomplete file inspection — Ransomware Containment 7.1 High2025-12-18
CVE-2025-55333 Windows BitLocker Security Feature Bypass Vulnerability — Windows 10 Version 1507 6.1 Medium2025-10-14
CVE-2024-5528 Incomplete Comparison with Missing Factors in GitLab — GitLab 3.5 Low2025-02-05
CVE-2021-23146 Gallagher Command Centre 安全漏洞 — Command Center 7.1 High2021-11-18

Vulnerabilities classified as CWE-1023 (缺失要素致使对比不完全) represent 5 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.