CWE-1025: Comparison Using Wrong Factors

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent.

Vulnerable example

java

String str1 = new String("Hello");

Safe example

java

if (str1.equals(str2)) {

However, the if statement will not be executed as the strings are compared using the "==" operator. For Java objects, such as String objects, the "==" operator compares object references, not object values. While the two String objects above contain the same string values, they refer to different object references, so the System.out.println statement will not be executed. To compare object values, the previous code could be modified to use the equals method:

CWE-1025: Comparison Using Wrong Factors | RadicalNotion.AI

CWE-1025: Comparison Using Wrong Factors

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Manual Static Analysis

Code examples

Frequently asked questions

What is CWE-1025?

What CVEs are caused by CWE-1025?

How is CWE-1025 detected?

What are the consequences of CWE-1025?

Is CWE-1025 actively exploited?

References

Stay ahead of CWE-1025

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Manual Static Analysis

Code examples

Related weaknesses

Parent

Child

Frequently asked questions

What is CWE-1025?

What CVEs are caused by CWE-1025?

How is CWE-1025 detected?

What are the consequences of CWE-1025?

Is CWE-1025 actively exploited?

References

Stay ahead of CWE-1025