CWE-783: Operator Precedence Logic Error
The product uses an expression in which operator precedence causes incorrect logic to be used.
View on MITREExtended Description
While often just a bug, operator precedence logic errors can have serious consequences if they are used in security-critical code, such as making an authentication decision.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
The consequences will vary based on the context surrounding the incorrect precedence. In a security decision, integrity or confidentiality are the most likely results. Otherwise, a crash may occur due to the software reaching an unexpected state.
Mitigation Strategies
Phase
Description
Regularly wrap sub-expressions in parentheses, especially in security-critical code.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
In the following example, the method validateUser makes a call to another method to authenticate a username and password for a user and returns a success or failure code.
However, the method that authenticates the username and password is called within an if statement with incorrect operator precedence logic. Because the comparison operator "==" has a higher precedence than the assignment operator "=", the comparison operator will be evaluated first and if the method returns FAIL then the comparison will be true, the return variable will be set to true and SUCCESS will be returned. This operator precedence logic error can be easily resolved by properly using parentheses within the expression of the if statement, as shown below.
In the following example, the method validateUser makes a call to another method to authenticate a username and password for a user and returns a success or failure code.
However, the method that authenticates the username and password is called within an if statement with incorrect operator precedence logic. Because the comparison operator "==" has a higher precedence than the assignment operator "=", the comparison operator will be evaluated first and if the method returns FAIL then the comparison will be true, the return variable will be set to true and SUCCESS will be returned. This operator precedence logic error can be easily resolved by properly using parentheses within the expression of the if statement, as shown below.
In this example, the method calculates the return on investment for an accounting/financial application. The return on investment is calculated by subtracting the initial investment costs from the current value and then dividing by the initial investment costs.
However, the return on investment calculation will not produce correct results because of the incorrect operator precedence logic in the equation. The divide operator has a higher precedence than the minus operator, therefore the equation will divide the initial investment costs by the initial investment costs which will only subtract one from the current value. Again this operator precedence logic error can be resolved by the correct use of parentheses within the equation, as shown below.
In this example, the method calculates the return on investment for an accounting/financial application. The return on investment is calculated by subtracting the initial investment costs from the current value and then dividing by the initial investment costs.
However, the return on investment calculation will not produce correct results because of the incorrect operator precedence logic in the equation. The divide operator has a higher precedence than the minus operator, therefore the equation will divide the initial investment costs by the initial investment costs which will only subtract one from the current value. Again this operator precedence logic error can be resolved by the correct use of parentheses within the equation, as shown below.
Observed CVE Examples (3)
Authentication module allows authentication bypass because it uses "(x = call(args) == SUCCESS)" instead of "((x = call(args)) == SUCCESS)".
View DetailsChain: Language interpreter calculates wrong buffer size (CWE-131) by using "size = ptr ? X : Y" instead of "size = (ptr ? X : Y)" expression.
View DetailsChain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
View DetailsCWE Relationships
Frequently Asked Questions
What is CWE-783: Operator Precedence Logic Error?+
CWE-783: Operator Precedence Logic Error is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses an expression in which operator precedence causes incorrect logic to be used. While often just a bug, operator precedence logic errors can have serious consequences if they are used in security-critical code, such as making an authentication decision.
What are the security consequences of Operator Precedence Logic Error?+
If exploited, CWE-783 (Operator Precedence Logic Error) it can compromise Confidentiality, Integrity and Availability, leading to outcomes such as Varies by Context and Unexpected State.
How do you prevent or mitigate Operator Precedence Logic Error?+
Recommended mitigations for CWE-783 include: Regularly wrap sub-expressions in parentheses, especially in security-critical code.
Which programming languages are affected by Operator Precedence Logic Error?+
CWE-783 commonly affects C, C++ and Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Operator Precedence Logic Error?+
MITRE documents real CVEs mapped to CWE-783, including CVE-2008-2516, CVE-2008-0599 and CVE-2001-1155. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-783 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.