目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-597 在字符串比较中使用了错误的操作符 类漏洞列表 3

CWE-597 在字符串比较中使用了错误的操作符 类弱点 3 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-597是字符串比较运算符误用漏洞,常见于Java等语言。攻击者利用此缺陷,通过构造特定输入使对象引用比较失败或意外成功,从而绕过身份验证或逻辑校验。开发者应避免使用“==”或“!=”进行字符串值比较,转而采用语言提供的专用方法(如Java中的equals()),以确保正确比较字符串内容而非内存引用,保障程序逻辑正确性。

MITRE CWE 官方描述
CWE:CWE-597 字符串比较中使用错误的运算符 英文:The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead. In Java, using == or != to compare two strings for equality actually compares two objects for equality rather than their string values for equality. Chances are good that the two references will never be equal. While this weakness often only affects program correctness, if the equality is used for a security decision, the unintended comparison result could be leveraged to affect program security.
常见影响 (1)
OtherOther
缓解措施 (1)
ImplementationWithin Java, use .equals() to compare string values. Within JavaScript, use == to compare string values. Within PHP, use == to compare a numeric value to a string value. (PHP converts the string to a number.)
Effectiveness: High
代码示例 (2)
In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent.
String str1 = new String("Hello"); String str2 = new String("Hello"); if (str1 == str2) { System.out.println("str1 == str2"); }
Bad · Java
if (str1.equals(str2)) { System.out.println("str1 equals str2"); }
Good · Java
In the example below, three JavaScript variables are declared and initialized with the same values. Note that JavaScript will change a value between numeric and string as needed, which is the reason an integer is included with the strings. An if statement is used to determine whether the values are the same.
<p id="ieq3s1" type="text">(i === s1) is FALSE</p> <p id="s4eq3i" type="text">(s4 === i) is FALSE</p> <p id="s4eq3s1" type="text">(s4 === s1) is FALSE</p> var i = 65; var s1 = '65'; var s4 = new String('65'); if (i === s1) { document.getElementById("ieq3s1").innerHTML = "(i === s1) is TRUE"; } if (s4 === i) { document.getElementById("s4eq3i").innerHTML = "(s4 === i) is TRUE"; } if (s4 === s1) { document.getElementById("s4eq3s1").innerHTML = "(s4 === s1) is TRUE"; }
Bad · JavaScript
<p id="ieq2s1" type="text">(i == s1) is FALSE</p> <p id="s4eq2i" type="text">(s4 == i) is FALSE</p> <p id="s4eq2s1" type="text">(s4 == s1) is FALSE</p> var i = 65; var s1 = '65'; var s4 = new String('65'); if (i == s1) { document.getElementById("ieq2s1").innerHTML = "(i == s1) is TRUE"; } if (s4 == i) { document.getElementById("s4eq2i").innerHTML = "(s4 == i) is TRUE"; } if (s4 == s1) { document.getElementById("s4eq2s1").innerHTML = "(s4 == s1) is TRUE"; }
Good · JavaScript
CVE ID标题CVSS风险等级Published
CVE-2021-4259 phpRedisAdmin 安全漏洞 — phpRedisAdmin 5.0 Medium2022-12-19
CVE-2022-36072 Silverware Games SilverwareGames.io 安全漏洞 — silverwaregames-io-issue-tracker 5.9 Medium2022-09-06
CVE-2021-3797 hestiacp 安全漏洞 — hestiacp/hestiacp 9.8 -2021-09-15

CWE-597(在字符串比较中使用了错误的操作符) 是常见的弱点类别,本平台收录该类弱点关联的 3 条 CVE 漏洞。