Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-187 (部分比较) — Vulnerability Class 6

6 vulnerabilities classified as CWE-187 (部分比较). AI Chinese analysis included.

CWE-187, Partial String Comparison, is a logic flaw where software validates input by examining only a subset of a string rather than the entire value. This weakness typically enables attackers to bypass security controls, such as authentication mechanisms, by providing a short input that matches a prefix or substring of the correct credential. For instance, a user might gain access by entering just the first few characters of a password if the system checks only that portion. To prevent this vulnerability, developers must ensure that all string comparisons are performed against the complete input data. Implementing strict equality checks that require the entire string to match, rather than relying on partial matches or substring searches, effectively mitigates this risk and ensures robust validation of sensitive data.

MITRE CWE Description
The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses. For example, an attacker might succeed in authentication by providing a small password that matches the associated portion of the larger, correct password.
Common Consequences (1)
Integrity, Access ControlAlter Execution Logic, Bypass Protection Mechanism
Mitigations (1)
TestingThoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.
Examples (1)
This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.
/* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */ char *username = "admin"; char *pass = "password"; int AuthenticateUser(char *inUser, char *inPass) { if (strncmp(username, inUser, strlen(inUser))) { logEvent("Auth failure of username using strlen of inUser"); return(AUTH_FAIL); } if (! strncmp(pass, inPass, strlen(inPass))) { logEvent("Auth success of password using strlen of inUser"); return(AUTH_SUCCESS); } else { logEvent("Auth fail of password using sizeof"); return(AUTH_FAIL); } } int main (int argc, char **argv) { int a
Bad · C
p pa pas pass
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2026-34785 Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching — rack 7.5 High2026-04-02
CVE-2026-30874 OpenWrt procd PATH Environment Variable Filter Bypass via Incorrect String Comparison Leads to Privilege Escalation — openwrt 8.8 -2026-03-19
CVE-2025-23384 Siemens RUGGEDCOM和Siemens SCALANCE 缓冲区错误漏洞 — RUGGEDCOM RM1224 LTE(4G) EU 3.7 Low2025-03-11
CVE-2024-41110 Moby authz zero length regression — moby 10.0 Critical2024-07-24
CVE-2024-39742 IBM MQ Container authentication bypass — MQ Operator 8.1 High2024-07-08
CVE-2022-31802 Partial string comparison in CODESYS gateway server — CODESYS Gateway Server V2 9.8 Critical2022-06-24

Vulnerabilities classified as CWE-187 (部分比较) represent 6 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.