VYPR

CWE-697

Incorrect Comparison

PillarIncomplete

Description

The product compares two entities in a security-relevant context, but the comparison is incorrect.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-120 · CAPEC-14 · CAPEC-15 · CAPEC-182 · CAPEC-24 · CAPEC-267 · CAPEC-3 · CAPEC-41 · CAPEC-43 · CAPEC-44 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-52 · CAPEC-53 · CAPEC-6 · CAPEC-64 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-88 · CAPEC-9 · CAPEC-92

CVEs mapped to this weakness (70)

page 2 of 4
  • CVE-2023-32571Jun 22, 2023
    risk 0.06cvss epss 0.35

    Dynamic Linq 1.0.7.10 through 1.2.25 before 1.3.0 allows attackers to execute arbitrary code and commands when untrusted input to methods including Where, Select, OrderBy is parsed.

  • CVE-2019-10071Sep 16, 2019
    risk 0.01cvss epss 0.09

    The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their…

  • CVE-2026-53873Jun 17, 2026
    risk 0.00cvss epss 0.00

    picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling…

  • CVE-2026-32322Mar 12, 2026
    risk 0.00cvss epss 0.00

    soroban-sdk is a Rust SDK for Soroban contracts. Prior to 22.0.11, 23.5.3, and 25.3.0, The Fr (scalar field) types for BN254 and BLS12-381 in soroban-sdk compared values using their raw U256 representation without first reducing modulo the field modulus r. This caused…

  • CVE-2026-26275Feb 19, 2026
    risk 0.00cvss epss 0.00

    httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's `matches!` macro. Specifically, the comparison `if…

  • CVE-2025-47776Nov 4, 2025
    risk 0.00cvss epss 0.00

    Mantis Bug Tracker (MantisBT) is an open source issue tracker. Due to incorrect use of loose (==) instead of strict (===) comparison in the authentication code in versions 2.27.1 and below.PHP type juggling will cause certain MD5 hashes matching scientific notation to be…

  • CVE-2025-59350Sep 17, 2025
    risk 0.00cvss epss 0.00

    Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one…

  • CVE-2024-12224May 30, 2025
    risk 0.00cvss epss 0.00

    Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

  • CVE-2024-56522Dec 27, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes.

  • CVE-2024-53861Nov 29, 2024
    risk 0.00cvss epss 0.01

    pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. This is a bug introduced in version 2.10.0: checking the "iss" claim changed from `isinstance(issuer, list)` to…

  • CVE-2024-23903Jan 24, 2024
    risk 0.00cvss epss 0.01

    Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2023-46660Oct 25, 2023
    risk 0.00cvss epss 0.00

    Jenkins Zanata Plugin 0.6 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token hashes are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2023-46658Oct 25, 2023
    risk 0.00cvss epss 0.01

    Jenkins MSTeams Webhook Trigger Plugin 0.1.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2023-46657Oct 25, 2023
    risk 0.00cvss epss 0.01

    Jenkins Gogs Plugin 1.0.15 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2023-46656Oct 25, 2023
    risk 0.00cvss epss 0.01

    Jenkins Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2023-45133Oct 12, 2023
    risk 0.00cvss epss 0.01

    Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when…

  • CVE-2023-44378Oct 9, 2023
    risk 0.00cvss epss 0.00

    gnark is a zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.9.0, for some in-circuit values, it is possible to construct two valid decomposition to bits. In addition to the canonical decomposition of `a`, for small values there exists a second…

  • CVE-2023-41936Sep 6, 2023
    risk 0.00cvss epss 0.01

    Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token.

  • CVE-2023-41935Sep 6, 2023
    risk 0.00cvss epss 0.01

    Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to…

  • CVE-2023-40037Aug 18, 2023
    risk 0.00cvss epss 0.02

    Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL…