Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-697 (不充分的比较) — Vulnerability Class 47

47 vulnerabilities classified as CWE-697 (不充分的比较). AI Chinese analysis included.

CWE-697 represents a logical flaw where software performs an inaccurate evaluation between two entities within a security-critical context. This weakness typically manifests when a developer checks only a single factor, ignores necessary multiple factors, or evaluates the wrong attribute entirely, leading to flawed decision-making processes. Attackers exploit these errors by crafting inputs that bypass intended security controls, such as authentication checks or authorization boundaries, effectively gaining unauthorized access or executing privileged actions. To prevent this, developers must rigorously validate all relevant security parameters during comparison operations. Implementing comprehensive unit tests that cover edge cases and employing static analysis tools can help identify logical inconsistencies. Furthermore, adhering to secure coding standards that mandate explicit, multi-factor verification ensures that comparisons accurately reflect the intended security policy, thereby closing potential exploitation vectors.

MITRE CWE Description
The product compares two entities in a security-relevant context, but the comparison is incorrect. This Pillar covers several possibilities: the comparison checks one factor incorrectly; the comparison should consider multiple factors, but it does not check at least one of those factors at all; the comparison checks the wrong factor.
Common Consequences (1)
OtherVaries by Context
When the comparison is incorrect, it may lead to resultant weaknesses.
Examples (2)
Consider an application in which Truck objects are defined to be the same if they have the same make, the same model, and were manufactured in the same year.
public class Truck { private String make; private String model; private int year; public boolean equals(Object o) { if (o == null) return false; if (o == this) return true; if (!(o instanceof Truck)) return false; Truck t = (Truck) o; return (this.make.equals(t.getMake()) && this.model.equals(t.getModel())); } }
Bad · Java
This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.
/* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */ char *username = "admin"; char *pass = "password"; int AuthenticateUser(char *inUser, char *inPass) { if (strncmp(username, inUser, strlen(inUser))) { logEvent("Auth failure of username using strlen of inUser"); return(AUTH_FAIL); } if (! strncmp(pass, inPass, strlen(inPass))) { logEvent("Auth success of password using strlen of inUser"); return(AUTH_SUCCESS); } else { logEvent("Auth fail of password using sizeof"); return(AUTH_FAIL); } } int main (int argc, char **argv) { int a
Bad · C
p pa pas pass
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2026-35040 fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS) — fast-jwt 5.3 Medium2026-04-09
CVE-2026-34574 Parse Server: Session field immutability bypass via falsy-value guard — parse-server 7.1AIHighAI2026-03-31
CVE-2026-34210 mppx has Stripe charge credential replay via missing idempotency check — mppx 7.5 -2026-03-31
CVE-2026-32322 soroban-sdk: `Fr` scalar field equality comparison bypasses modular reduction — rs-soroban-sdk 5.3 Medium2026-03-12
CVE-2025-20343 Cisco Identity Services Engine Radius Suppression Denial of Service Vulnerability — Cisco Identity Services Engine Software 8.6 High2025-11-05
CVE-2025-12192 The Events Calendar <= 6.15.9 - Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure — The Events Calendar 5.3 Medium2025-11-05
CVE-2025-47416 ConsoleFindCommandMatchList — TOUCHSCREEN x70 9.8AICriticalAI2025-09-09
CVE-2025-9401 HuangDou UTCMS Login login.php comparison — UTCMS 3.7 Low2025-08-25
CVE-2025-48952 NetAlertX has Password Bypass Vulnerability due to Loose Comparison in PHP — NetAlertX 9.4 Critical2025-07-04
CVE-2025-3102 SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation — OttoKit: All-in-One Automation Platform 8.1 High2025-04-10
CVE-2024-53861 Issuer field partial matches allowed in pyjwt — pyjwt 2.2 Low2024-11-29
CVE-2024-39534 Junos OS Evolved: Connections to the network and broadcast address accepted — Junos OS Evolved 5.4 Medium2024-10-11
CVE-2024-41958 Two-Factor Authentication (2FA) Bypass in mailcow: dockerized — mailcow-dockerized 6.6 Medium2024-08-05
CVE-2024-24621 Softaculous Webuzo Authentication Bypass — Webuzo 9.8 Critical2024-07-25
CVE-2015-10129 planet-freo auth.inc.php comparison — planet-freo 3.7 Low2024-02-04
CVE-2023-23766 Incorrect comparison vulnerability in GitHub Enterprise Server leading to commit smuggling — Enterprise Server 4.5 Medium2023-09-22
CVE-2023-23845 SolarWinds Platform Exposed Dangerous Method Vulnerability — SolarWinds Platform 6.8 Medium2023-09-13
CVE-2023-23840 SolarWinds Platform Exposed Dangerous Method Vulnerability — SolarWinds Platform 6.8 Medium2023-09-13
CVE-2023-23765 Incorrect comparison vulnerability in GitHub Enterprise Server leading to commit smuggling — Enterprise Server 4.8 Medium2023-08-30
CVE-2023-23764 Incorrect comparison vulnerability in GitHub Enterprise Server leading to commit smuggling — Enterprise Server 4.8 Medium2023-07-27
CVE-2023-23843 SolarWinds Platform Incorrect Comparison Vulnerability — SolarWinds Platform 7.2 High2023-07-26
CVE-2023-33225 SolarWinds Platform Deserialization of Untrusted Data Vulnerability — SolarWinds Platform 7.2 High2023-07-26
CVE-2023-22435 Server bad parsing implementation - stack overflow in server::get_db_path_for_driver — Experion Server 7.5 High2023-07-13
CVE-2023-28936 Apache OpenMeetings: insufficient check of invitation hash — Apache OpenMeetings 7.5 -2023-05-12
CVE-2023-23762 Incorrect comparison vulnerability in GitHub Enterprise Server leading to commit smuggling — Enterprise Server 6.5 Medium2023-04-07
CVE-2022-43621 D-Link DIR-1935 安全漏洞 — DIR-1935 8.8 -2023-03-29
CVE-2023-25666 TensorFlow has Floating Point Exception in AudioSpectrogram — tensorflow 7.5 High2023-03-24
CVE-2023-25669 TensorFlow has Floating Point Exception in AvgPoolGrad with XLA — tensorflow 7.5 High2023-03-24
CVE-2023-25673 TensorFlow has Floating Point Exception in TensorListSplit with XLA — tensorflow 7.5 High2023-03-24
CVE-2023-25675 TensorFlow has Segfault in Bincount with XLA — tensorflow 7.5 High2023-03-24

Vulnerabilities classified as CWE-697 (不充分的比较) represent 47 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.