目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-1023 缺失要素致使对比不完全 类漏洞列表 8

CWE-1023 缺失要素致使对比不完全 类弱点 8 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-1023 属于逻辑缺陷类漏洞,指产品在比较实体时遗漏了关键因素。攻击者常利用此缺陷,通过构造缺失特定特征的输入,绕过身份验证或权限检查,从而获取未授权访问。开发者应避免此问题,需全面分析业务逻辑,确保比较操作涵盖所有必要属性,并在代码审查中重点验证多因素判断的完整性,以消除逻辑漏洞。

MITRE CWE 官方描述
CWE:CWE-1023 Incomplete Comparison with Missing Factors(缺少关键因素的完整比较) 英文:The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors. 译文:产品在执行实体间的比较时,本应考虑每个实体的多个因素或特征,但比较过程中未包含其中一个或多个因素。
常见影响 (1)
Integrity, Access ControlAlter Execution Logic, Bypass Protection Mechanism
An incomplete comparison can lead to resultant weaknesses, e.g., by operating on the wrong object or making a security decision without considering a required factor.
代码示例 (2)
Consider an application in which Truck objects are defined to be the same if they have the same make, the same model, and were manufactured in the same year.
public class Truck { private String make; private String model; private int year; public boolean equals(Object o) { if (o == null) return false; if (o == this) return true; if (!(o instanceof Truck)) return false; Truck t = (Truck) o; return (this.make.equals(t.getMake()) && this.model.equals(t.getModel())); } }
Bad · Java
This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.
/* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */ char *username = "admin"; char *pass = "password"; int AuthenticateUser(char *inUser, char *inPass) { if (strncmp(username, inUser, strlen(inUser))) { logEvent("Auth failure of username using strlen of inUser"); return(AUTH_FAIL); } if (! strncmp(pass, inPass, strlen(inPass))) { logEvent("Auth success of password using strlen of inUser"); return(AUTH_SUCCESS); } else { logEvent("Auth fail of password using sizeof"); return(AUTH_FAIL); } } int main (int argc, char **argv) { int a
Bad · C
p pa pas pass
Attack
CVE ID标题CVSS风险等级Published
CVE-2026-53839 OpenClaw <2026.5.7 信任重试端点验证中主机名前缀匹配绕过漏洞 — OpenClaw 6.5 Medium2026-06-12
CVE-2026-7473 Arista EOS 隧道协议解封装与转发绕过漏洞 — EOS 5.8 Medium2026-06-05
CVE-2026-48587 Vary头信息空白填充导致私有数据泄露 — Django 3.1 Low2026-06-03
CVE-2026-4599 jsrsasign 安全漏洞 — jsrsasign 9.1 Critical2026-03-23
CVE-2025-62000 BullWall Ransomware Containment 安全漏洞 — Ransomware Containment 7.1 High2025-12-18
CVE-2025-55333 Microsoft Windows BitLocker 安全漏洞 — Windows 10 Version 1507 6.1 Medium2025-10-14
CVE-2024-5528 GitLab 安全漏洞 — GitLab 3.5 Low2025-02-05
CVE-2021-23146 Gallagher Command Centre 安全漏洞 — Command Center 7.1 High2021-11-18

CWE-1023(缺失要素致使对比不完全) 是常见的弱点类别,本平台收录该类弱点关联的 8 条 CVE 漏洞。