Category: Comprehensive Categorization: Comparison
Incomplete
Summary
Weaknesses in this category are related to comparison.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1023 | Incomplete Comparison with Missing Factors | This weakness occurs when a program compares two items but fails to check all the necessary attributes that define their true relationship. The incomplete check can cause the software to treat different items as identical or make incorrect security decisions. |
| CWE-1024 | Comparison of Incompatible Types | This vulnerability occurs when code directly compares two values of fundamentally different data types, which can lead to unreliable or incorrect results because the comparison logic doesn't handle the type mismatch properly. |
| CWE-1025 | Comparison Using Wrong Factors | This weakness occurs when a program compares two items but checks the wrong properties or attributes. This flawed comparison leads to incorrect decisions, creating security and logic errors. |
| CWE-1077 | Floating Point Comparison with Incorrect Operator | This vulnerability occurs when code compares two floating-point numbers using direct equality operators (like == or !=) without accounting for inherent precision limitations. These operators fail to consider tiny rounding differences that are common in floating-point arithmetic, leading to incorrect or unexpected comparison results. |
| CWE-183 | Permissive List of Allowed Inputs | This vulnerability occurs when an application's security filter uses an allowlist that is too broad, mistakenly permitting dangerous inputs that should have been blocked. The flawed assumption that everything on the list is safe creates a direct path for attackers to exploit the system. |
| CWE-185 | Incorrect Regular Expression | This vulnerability occurs when a regular expression is written incorrectly, causing it to match or validate data in unintended and potentially dangerous ways. |
| CWE-186 | Overly Restrictive Regular Expression | This weakness occurs when a regular expression is too narrow, failing to detect all the dangerous or unexpected input values it was designed to catch. |
| CWE-187 | Partial String Comparison | This weakness occurs when software checks only part of a string or token to determine a match, instead of comparing the entire value. This incomplete validation can lead to incorrect security decisions. |
| CWE-478 | Missing Default Case in Multiple Condition Expression | This vulnerability occurs when code with multiple conditional branches, like a switch statement, lacks a default case to handle unexpected values. |
| CWE-486 | Comparison of Classes by Name | This vulnerability occurs when an application determines an object's trustworthiness or behavior solely by checking its class name. Since multiple classes can share identical names across different packages or classloaders, this comparison can lead to using the wrong, potentially malicious, class. |
| CWE-595 | Comparison of Object References Instead of Object Contents | This vulnerability occurs when code incorrectly checks if two object references point to the same memory location, rather than comparing the actual data or values contained within the objects. This mistake prevents the software from correctly identifying when two separate objects hold equivalent content. |
| CWE-597 | Use of Wrong Operator in String Comparison | This vulnerability occurs when a developer incorrectly compares string values, typically by using reference equality operators (like == or !=) instead of dedicated string comparison methods (like .equals()). |
| CWE-625 | Permissive Regular Expression | This weakness occurs when a regular expression is too permissive, failing to properly validate or sanitize input by allowing unintended values or patterns. |
| CWE-697 | Incorrect Comparison | This weakness occurs when a security-critical decision relies on a flawed comparison between two pieces of data. The incorrect logic can create a gap that attackers exploit to bypass checks or trigger unintended behavior. |
| CWE-777 | Regular Expression without Anchors | This vulnerability occurs when a regular expression used for validation or sanitization lacks anchors, allowing unintended characters or malicious payloads to bypass security checks. |
| CWE-839 | Numeric Range Comparison Without Minimum Check | This vulnerability occurs when software validates that a number is within an acceptable range by only checking that it's less than or equal to a maximum value, but fails to also verify that it is greater than or equal to a required minimum. This oversight can allow negative or otherwise invalid low values to pass the check, leading to unexpected behavior. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.