CWE-1023: Incomplete Comparison with Missing Factors

CWE-1023: Incomplete Comparison with Missing Factors | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

Consider an application in which Truck objects are defined to be the same if they have the same make, the same model, and were manufactured in the same year.

Vulnerable example

java

public class Truck {

Here, the equals() method only checks the make and model of the Truck objects, but the year of manufacture is not included.

This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.

Vulnerable example

/* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */

Attack input

plaintext

CWE-1023: Incomplete Comparison with Missing Factors

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Manual Static Analysis

Code examples

Illustrative examples

Frequently asked questions

What is CWE-1023?

What CVEs are caused by CWE-1023?

How is CWE-1023 detected?

What are the consequences of CWE-1023?

Is CWE-1023 actively exploited?

References

Stay ahead of CWE-1023

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Manual Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Frequently asked questions

What is CWE-1023?

What CVEs are caused by CWE-1023?

How is CWE-1023 detected?

What are the consequences of CWE-1023?

Is CWE-1023 actively exploited?

References

Stay ahead of CWE-1023