CWE-1389: Incorrect Parsing of Numbers with Different Radices
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
说明: An attacker may use an unexpected numerical base to access private application resources.
影响范围: Integrity
技术影响: Bypass Protection Mechanism Alter Execution Logic
说明: An attacker may use an unexpected numerical base to bypass or manipulate access control mechanisms.
潜在缓解措施
阶段: Implementation
策略: Enforcement by Conversion
描述: If only decimal-based values are expected in the application, conditional checks should be created in a way that prevent octal or hexadecimal strings from being checked. This can be achieved by converting any numerical string to an explicit base-10 integer prior to the conditional check, to prevent octal or hex values from ever being checked against the condition.
阶段: Implementation
策略: Input Validation
描述: If various numerical bases do need to be supported, check for leading values indicating the non-decimal base you wish to support (such as 0x for hex) and convert the numeric strings to integers of the respective base. Reject any other alternative-base string that is not intentionally supported by the application.
阶段: Implementation
策略: Input Validation
描述: If regular expressions are used to validate IP addresses, ensure that they are bounded using ^ and $ to prevent base-prepended IP addresses from being matched.
观察示例
参考: CVE-2021-29662
Chain: Use of zero-prepended IP addresses in Perl-based IP validation module can lead to an access control bypass.
参考: CVE-2021-28918
Chain: Use of zero-prepended IP addresses in a product that manages IP blocks can lead to an SSRF.
参考: CVE-2021-29921
Chain: Use of zero-prepended IP addresses in a Python standard library package can lead to an SSRF.
参考: CVE-2021-29923
Chain: Use of zero-prepended IP addresses in the net Golang library can lead to an access control bypass.
参考: CVE-2021-29424
Chain: Use of zero-prepended IP addresses in Perl netmask module allows bypass of IP-based access control.
参考: CVE-2016-4029
Chain: incorrect validation of intended decimal-based IP address format (CWE-1286) enables parsing of octal or hexadecimal formats (CWE-1389), allowing bypass of an SSRF protection mechanism (CWE-918).
参考: CVE-2020-13776
Mishandling of hex-valued usernames leads to unexpected decimal conversion and privilege escalation in the systemd Linux suite.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | Input validation used may assume decimal bases during conditional checks, when it may not always be the case. |
| Implementation | The application may rely on a service that supports different numerical bases. |