目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-697 不充分的比较 类漏洞列表 48

CWE-697 不充分的比较 类弱点 48 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-697 属于逻辑错误类漏洞,指产品在安全相关上下文中执行了错误的实体比较。攻击者通常利用此缺陷,通过构造特定输入绕过身份验证或权限检查,从而获取未授权访问。开发者应避免此类问题,需确保比较逻辑涵盖所有必要因素,验证比较对象类型一致,并采用经过安全审计的标准库函数进行严谨的安全决策判断。

MITRE CWE 官方描述
CWE:CWE-697 不正确的比较 (Incorrect Comparison) 英文:产品在安全相关的上下文中比较两个实体,但比较操作不正确。 本 Pillar 涵盖多种可能性:比较操作错误地检查了某个因素;比较操作本应考虑多个因素,但完全没有检查其中至少一个因素;比较操作检查了错误的因素。
常见影响 (1)
OtherVaries by Context
When the comparison is incorrect, it may lead to resultant weaknesses.
代码示例 (2)
Consider an application in which Truck objects are defined to be the same if they have the same make, the same model, and were manufactured in the same year.
public class Truck { private String make; private String model; private int year; public boolean equals(Object o) { if (o == null) return false; if (o == this) return true; if (!(o instanceof Truck)) return false; Truck t = (Truck) o; return (this.make.equals(t.getMake()) && this.model.equals(t.getModel())); } }
Bad · Java
This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.
/* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */ char *username = "admin"; char *pass = "password"; int AuthenticateUser(char *inUser, char *inPass) { if (strncmp(username, inUser, strlen(inUser))) { logEvent("Auth failure of username using strlen of inUser"); return(AUTH_FAIL); } if (! strncmp(pass, inPass, strlen(inPass))) { logEvent("Auth success of password using strlen of inUser"); return(AUTH_SUCCESS); } else { logEvent("Auth fail of password using sizeof"); return(AUTH_FAIL); } } int main (int argc, char **argv) { int a
Bad · C
p pa pas pass
Attack
CVE ID标题CVSS风险等级Published
CVE-2023-25675 Google TensorFlow 安全漏洞 — tensorflow 7.5 High2023-03-24
CVE-2023-27579 Google TensorFlow 安全漏洞 — tensorflow 7.5 High2023-03-24
CVE-2014-125057 robitailletheknot 安全漏洞 — robitailletheknot 3.1 Low2023-01-07
CVE-2022-22203 Juniper Networks Junos OS 安全漏洞 — Junos OS 6.5 Medium2022-07-20
CVE-2022-24787 Vyper 安全漏洞 — vyper 7.5 High2022-04-04
CVE-2022-23027 F5 BIG-IP 安全漏洞 — BIG-IP 5.3 -2022-01-25
CVE-2021-3833 Artica Integria IMS 安全漏洞 — Integria IMS 9.8 Critical2021-10-07
CVE-2021-0295 Juniper Networks Junos OS 安全漏洞 — Junos OS 6.1 Medium2021-07-15
CVE-2021-20219 Linux kernel 安全漏洞 — kernel 5.5 -2021-03-23
CVE-2020-15130 slpjs 安全漏洞 — slpjs 7.5 High2020-07-30
CVE-2020-15131 slp-validate 安全漏洞 — slp-validate.js 7.5 High2020-07-30
CVE-2020-11072 SLP Validate 安全漏洞 — slp-validate 8.6 High2020-05-12
CVE-2020-11071 slpjs 安全漏洞 — slpjs 8.6 High2020-05-12
CVE-2020-10027 Zephyr 安全漏洞 — zephyr 7.8 High2020-05-11
CVE-2020-10024 Zephyr 安全漏洞 — zephyr 7.8 High2020-05-11
CVE-2020-8864 D-Link DIR-867、DIR-878和DIR-882 HNAP 安全漏洞 — Multiple Routers 8.8 -2020-03-23
CVE-2020-8862 D-Link DAP-2610 安全漏洞 — DAP-2610 8.8 -2020-02-22
CVE-2015-9238 secure-compare 安全漏洞 — secure-compare node module 5.3 -2018-05-31

CWE-697(不充分的比较) 是常见的弱点类别,本平台收录该类弱点关联的 48 条 CVE 漏洞。