CWE-1289: Improper Validation of Unsafe Equivalence in Input
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.
常见后果
影响范围: Other
技术影响: Varies by Context
潜在缓解措施
阶段: Implementation
策略: Input Validation
有效性: High
观察示例
参考: CVE-2021-39155
Chain: A microservice integration and management platform compares the hostname in the HTTP Host header in a case-sensitive way (CWE-178, CWE-1289), allowing bypass of the authorization policy (CWE-863) using a hostname with mixed case or other variations.
参考: CVE-2020-11053
Chain: Go-based Oauth2 reverse proxy can send the authenticated user to another site at the end of the authentication flow. A redirect URL with HTML-encoded whitespace characters can bypass the validation (CWE-1289) to redirect to a malicious site (CWE-601)
参考: CVE-2005-0269
File extension check in forum software only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters.
参考: CVE-2001-1238
Task Manager does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped.
参考: CVE-2004-2214
HTTP server allows bypass of access restrictions using URIs with mixed case.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |