CWE-1023: Incomplete Comparison with Missing Factors
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.
扩展描述
An incomplete comparison can lead to resultant weaknesses, e.g., by operating on the wrong object or making a security decision without considering a required factor.
常见后果
影响范围: Integrity Access Control
技术影响: Alter Execution Logic Bypass Protection Mechanism
潜在缓解措施
阶段: Testing
描述: Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.
观察示例
参考: CVE-2005-2782
PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp".
参考: CVE-2014-6394
Product does not prevent access to restricted directories due to partial string comparison with a public directory
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |