CWE-1389Incorrect Parsing of Numbers with Different Radices

PUBLISHEDweakness record
released 2022-10-13 · last modified 2025-12-11

Metadata

CWE ID:
CWE-1389
摘要:
Base
结构:
Simple
状态:
Incomplete
发布日期:
2022-10-13
更新日期:
2025-12-11

名称

Incorrect Parsing of Numbers with Different Radices

描述

The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).

Frequently, a numeric input that begins with "0" is treated as octal, or "0x" causes it to be treated as hexadecimal, e.g. by the inet_addr() function. For example, "023" (octal) is 35 decimal, or "0x31" is 49 decimal. Other bases may be used as well. If the developer assumes decimal-only inputs, the code could produce incorrect numbers when the inputs are parsed using a different base. This can result in unexpected and/or dangerous behavior. For example, a "0127.0.0.1" IP address is parsed as octal due to the leading "0", whose numeric value would be the same as 87.0.0.1 (decimal), where the developer likely expected to use 127.0.0.1. The consequences vary depending on the surrounding code in which this weakness occurs, but they can include bypassing network-based access control using unexpected IP addresses or netmasks, or causing apparently-symbolic identifiers to be processed as if they are numbers. In web applications, this can enable bypassing of SSRF restrictions.

常见后果

范围:
Confidentiality
影响:
Read Application Data
注释:
An attacker may use an unexpected numerical base to access private application resources.
范围:
Integrity
影响:
Bypass Protection Mechanism, Alter Execution Logic
注释:
An attacker may use an unexpected numerical base to bypass or manipulate access control mechanisms.

相关 CWE