Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-697 (不充分的比较) — Vulnerability Class 47

47 vulnerabilities classified as CWE-697 (不充分的比较). AI Chinese analysis included.

CWE-697 represents a logical flaw where software performs an inaccurate evaluation between two entities within a security-critical context. This weakness typically manifests when a developer checks only a single factor, ignores necessary multiple factors, or evaluates the wrong attribute entirely, leading to flawed decision-making processes. Attackers exploit these errors by crafting inputs that bypass intended security controls, such as authentication checks or authorization boundaries, effectively gaining unauthorized access or executing privileged actions. To prevent this, developers must rigorously validate all relevant security parameters during comparison operations. Implementing comprehensive unit tests that cover edge cases and employing static analysis tools can help identify logical inconsistencies. Furthermore, adhering to secure coding standards that mandate explicit, multi-factor verification ensures that comparisons accurately reflect the intended security policy, thereby closing potential exploitation vectors.

MITRE CWE Description
The product compares two entities in a security-relevant context, but the comparison is incorrect. This Pillar covers several possibilities: the comparison checks one factor incorrectly; the comparison should consider multiple factors, but it does not check at least one of those factors at all; the comparison checks the wrong factor.
Common Consequences (1)
OtherVaries by Context
When the comparison is incorrect, it may lead to resultant weaknesses.
Examples (2)
Consider an application in which Truck objects are defined to be the same if they have the same make, the same model, and were manufactured in the same year.
public class Truck { private String make; private String model; private int year; public boolean equals(Object o) { if (o == null) return false; if (o == this) return true; if (!(o instanceof Truck)) return false; Truck t = (Truck) o; return (this.make.equals(t.getMake()) && this.model.equals(t.getModel())); } }
Bad · Java
This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.
/* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */ char *username = "admin"; char *pass = "password"; int AuthenticateUser(char *inUser, char *inPass) { if (strncmp(username, inUser, strlen(inUser))) { logEvent("Auth failure of username using strlen of inUser"); return(AUTH_FAIL); } if (! strncmp(pass, inPass, strlen(inPass))) { logEvent("Auth success of password using strlen of inUser"); return(AUTH_SUCCESS); } else { logEvent("Auth fail of password using sizeof"); return(AUTH_FAIL); } } int main (int argc, char **argv) { int a
Bad · C
p pa pas pass
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2023-27579 TensorFlow has Floating Point Exception in TFLite in conv kernel — tensorflow 7.5 High2023-03-24
CVE-2014-125057 mrobit robitailletheknot CSRF Token filters.php comparison — robitailletheknot 3.1 Low2023-01-07
CVE-2022-22203 Junos OS: EX4600 Series and QFX5000 Series: Receipt of specific traffic will lead to an fxpc process crash followed by an FPC reboot — Junos OS 6.5 Medium2022-07-20
CVE-2022-24787 Incorrect Comparison in Vyper — vyper 7.5 High2022-04-04
CVE-2022-23027 F5 BIG-IP 安全漏洞 — BIG-IP 5.3 -2022-01-25
CVE-2021-3833 Integria IMS incorrect authorization — Integria IMS 9.8 Critical2021-10-07
CVE-2021-0295 Junos OS: QFX10K Series: Denial of Service (DoS) upon receipt of DVMRP packets received on multi-homing ESI in VXLAN. — Junos OS 6.1 Medium2021-07-15
CVE-2021-20219 Linux kernel 安全漏洞 — kernel 5.5 -2021-03-23
CVE-2020-15130 False-positive validity for NFT1 genesis transactions in SLPJS — slpjs 7.5 High2020-07-30
CVE-2020-15131 False-positive validity for NFT1 genesis transactions in SLP Validate — slp-validate.js 7.5 High2020-07-30
CVE-2020-11072 False-negative validation results in MINT transactions with invalid baton — slp-validate 8.6 High2020-05-12
CVE-2020-11071 False-negative validation results in MINT transactions with invalid baton — slpjs 8.6 High2020-05-12
CVE-2020-10027 ARC Platform Uses Signed Integer Comparison When Validating Syscall Numbers — zephyr 7.8 High2020-05-11
CVE-2020-10024 ARM Platform Uses Signed Integer Comparison When Validating Syscall Numbers — zephyr 7.8 High2020-05-11
CVE-2020-8864 D-Link DIR-867、DIR-878和DIR-882 HNAP 安全漏洞 — Multiple Routers 8.8 -2020-03-23
CVE-2020-8862 D-Link DAP-2610 安全漏洞 — DAP-2610 8.8 -2020-02-22
CVE-2015-9238 secure-compare 安全漏洞 — secure-compare node module 5.3 -2018-05-31

Vulnerabilities classified as CWE-697 (不充分的比较) represent 47 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.