CWE-187: Partial String Comparison
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.
扩展描述
For example, an attacker might succeed in authentication by providing a small password that matches the associated portion of the larger, correct password.
常见后果
影响范围: Integrity Access Control
技术影响: Alter Execution Logic Bypass Protection Mechanism
潜在缓解措施
阶段: Testing
描述: Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.
观察示例
参考: CVE-2014-6394
Product does not prevent access to restricted directories due to partial string comparison with a public directory
参考: CVE-2004-1012
Argument parser of an IMAP server treats a partial command "body[p" as if it is "body.peek", leading to index error and out-of-bounds corruption.
参考: CVE-2004-0765
Web browser only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN), which allows remote attackers to spoof trusted certificates.
参考: CVE-2002-1374
One-character password by attacker checks only against first character of real password.
参考: CVE-2000-0979
One-character password by attacker checks only against first character of real password.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Partial Comparison | - |