CVEbaza.plSłownik CWECWE-1025
Common Weakness Enumeration

CWE-1025

Comparison Using Wrong Factors

Kategoria: BaseCVE: 12
Opis

Kod wykonuje porównanie między dwoma jednostkami, ale porównanie bada nieprawidłowe czynniki lub cechy tych jednostek. Może to prowadzić do nieprawidłowych wyników i powstałych w ich wyniku luk w bezpieczeństwie.

Description (EN)

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

Podatności CVE z CWE-1025 (12)
9.3
CVSS
CRITICAL
CVE-2025-25306

Platforma Misskey nie weryfikuje poprawnie relacji między polami `id` i `url` obiektów ActivityPub, co pozwala atakującemu na sfałszowanie autorytetu w polu `url`. Jest to obejście wcześniejszego patcha dla CVE-2024-52591 i może prowadzić do manipulacji danymi federacyjnymi z krytycznym wpływem na integralność.

pub. 2025-03-10
8.1
CVSS
HIGH
CVE-2026-9800

A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.

pub. 2026-06-25
7.5
CVSS
HIGH
CVE-2026-48860

Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist. The inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3. This vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl. This issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.

pub. 2026-06-10
7.2
CVSS
HIGH
CVE-2026-40880

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and zebra-consensus version 5.0.2, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By carefully submitting a transaction that is valid for height H+1 but invalid for H+2 and then mining that transaction in a block at height H+2, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This vulnerability is fixed in zebrad version 4.3.1 and zebra-consensus version 5.0.2.

pub. 2026-04-21
6.8
CVSS
MEDIUM
CVE-2025-32464

HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one.

pub. 2025-04-09
6.2
CVSS
MEDIUM
CVE-2026-40227

In systemd 260 before 261, a local unprivileged user can trigger an assert via an IPC API call with an array or map that has a null element.

pub. 2026-04-10
5.8
CVSS
MEDIUM
CVE-2024-20342

Multiple Cisco products are affected by a vulnerability in the rate filtering feature of the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured rate limiting filter.  This vulnerability is due to an incorrect connection count comparison. An attacker could exploit this vulnerability by sending traffic through an affected device at a rate that exceeds a configured rate filter. A successful exploit could allow the attacker to successfully bypass the rate filter. This could allow unintended traffic to enter the network protected by the affected device.

pub. 2024-10-23
5.7
CVSS
MEDIUM
CVE-2025-2887

During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

pub. 2025-03-27
5.7
CVSS
MEDIUM
CVE-2025-2888

During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

pub. 2025-03-27
5.4
CVSS
MEDIUM
CVE-2026-21691

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccTag:IsTypeCompressed()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

pub. 2026-01-07
3.2
CVSS
LOW
CVE-2025-27839

operations/attestation/AttestationTask.kt in the Tangem SDK before 5.18.3 for Android has a logic flow in offline wallet attestation (genuineness check) that causes verification results to be disregarded during the first scan of a card. Exploitation may not have been possible.

pub. 2025-03-08
Informacje
ID: CWE-1025
Typ: Base
Podatności: 12
MITRE CWE ↗
← Słownik CWE
CWE-1025 — Porównanie przy użyciu nieprawidłowych czynników | Słownik CWE | CVEbaza.pl