CWE-1025: Comparison Using Wrong Factors
The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.
View on MITREExtended Description
This can lead to incorrect results and resultant weaknesses. For example, the code might inadvertently compare references to objects, instead of the relevant contents of those objects, causing two "equal" objects to be considered unequal.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
Phase
Description
Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent.
However, the if statement will not be executed as the strings are compared using the "==" operator. For Java objects, such as String objects, the "==" operator compares object references, not object values. While the two String objects above contain the same string values, they refer to different object references, so the System.out.println statement will not be executed. To compare object values, the previous code could be modified to use the equals method:
In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent.
However, the if statement will not be executed as the strings are compared using the "==" operator. For Java objects, such as String objects, the "==" operator compares object references, not object values. While the two String objects above contain the same string values, they refer to different object references, so the System.out.println statement will not be executed. To compare object values, the previous code could be modified to use the equals method:
CWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-1025: Comparison Using Wrong Factors?+
CWE-1025: Comparison Using Wrong Factors is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses. This can lead to incorrect results and resultant weaknesses. For example, the code might inadvertently compare references to objects, instead of the relevant contents of those objects, causing two "equal" objects to be considered unequal.
What are the security consequences of Comparison Using Wrong Factors?+
If exploited, CWE-1025 (Comparison Using Wrong Factors) it can compromise Other, leading to outcomes such as Varies by Context.
How do you prevent or mitigate Comparison Using Wrong Factors?+
Recommended mitigations for CWE-1025 include: Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.
Which programming languages are affected by Comparison Using Wrong Factors?+
CWE-1025 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-1025 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.