Extended Description
Extended Description
Technical Details
- Structure
- Simple
- Vulnerability Mapping
- DISCOURAGED
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Observed CVE Examples (3)
Chain: Python-based HTTP Proxy server uses the wrong boolean operators ( CWE-480 ) causing an incorrect comparison ( CWE-697 ) that identifies an authN failure if all three conditions are met instead of only one, allowing bypass of the proxy authentication ( CWE-1390 )
View DetailsChain: Proxy uses a substring search instead of parsing the Transfer-Encoding header ( CWE-697 ), allowing request splitting ( CWE-113 ) and cache poisoning
View DetailsProxy performs incorrect comparison of request headers, leading to infoleak
View DetailsFrequently Asked Questions
What is CWE-697: Incorrect Comparison?+
CWE-697: Incorrect Comparison is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description Extended Description
What are the security consequences of Incorrect Comparison?+
If exploited, CWE-697 (Incorrect Comparison) it can compromise Varies by Context, leading to outcomes such as Scope: Other When the comparison is incorrect and it may lead to resultant weaknesses..
Which programming languages are affected by Incorrect Comparison?+
CWE-697 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Incorrect Comparison?+
MITRE documents real CVEs mapped to CWE-697, including CVE-2021-3116, CVE-2020-15811 and CVE-2016-10003. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-697 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.