Détail du CWE-783


Operator Precedence Logic Error
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Operator Precedence Logic Error

The product uses an expression in which operator precedence causes incorrect logic to be used.

Description du CWE

While often just a bug, operator precedence logic errors can have serious consequences if they are used in security-critical code, such as making an authentication decision.

Informations générales

Modes d'introduction

Implementation : Logic errors related to operator precedence may cause problems even during normal operation, so they are probably discovered quickly during the testing phase. If testing is incomplete or there is a strong reliance on manual review of the code, then these errors may not be discovered before the software is deployed.

Plateformes applicables


Name: C (Rarely)
Name: C++ (Rarely)
Class: Not Language-Specific (Rarely)

Conséquences courantes

Portée Impact Probabilité
Varies by Context, Unexpected State

Note: The consequences will vary based on the context surrounding the incorrect precedence. In a security decision, integrity or confidentiality are the most likely results. Otherwise, a crash may occur due to the software reaching an unexpected state.

Exemples observés

Références Description


Authentication module allows authentication bypass because it uses "(x = call(args) == SUCCESS)" instead of "((x = call(args)) == SUCCESS)".


Chain: Language interpreter calculates wrong buffer size (CWE-131) by using "size = ptr ? X : Y" instead of "size = (ptr ? X : Y)" expression.


Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.

Mesures d’atténuation potentielles

Phases : Implementation
Regularly wrap sub-expressions in parentheses, especially in security-critical code.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.



EXP00-C. Use parentheses for precedence of operation


The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.


Nom Organisation Date Date de publication Version
CWE Content Team MITRE 2009-07-16 +00:00 2009-07-27 +00:00 1.5


Nom Organisation Date Commentaire
CWE Content Team MITRE 2009-12-28 +00:00 updated Observed_Examples
CWE Content Team MITRE 2011-06-27 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Demonstrative_Examples, References, Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Taxonomy_Mappings, Time_of_Introduction
CWE Content Team MITRE 2019-01-03 +00:00 updated Taxonomy_Mappings
CWE Content Team MITRE 2019-06-20 +00:00 updated Type
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes