We’ve noted this request to add a new entry to CWE.  MITRE’s content submission 
guidelines at 
 note that minimum expectations for content submissions should include Name, 
Summary, Extended Description, Modes of Introduction, Potential Mitigations, 
Common Consequences, Applicable Platforms, Demonstrative Examples, Observed 
Examples, Relationships, and References.  Incomplete submissions are frequently 
a cause of delays for integration into CWE.

Regarding this specific weakness, I agree that CWE-20 and CWE-180 are not 
ideal. It is probably better placed under CWE-706: Use of Incorrectly-Resolved 
Name or Reference, where an identifier can be provided that points to an 
unexpected resource. Common examples are pathname equivalence CWE-42 for a 
trailing “.”, CWE-52 with a trailing slash, and CWE-58 for Windows 8.3 format 

CWE probably does not use the “canonicalization” term as often as it should, 
which hurts the ability for users to discover this. Changes will need to be 
made to CWE content to make this kind of problem easier for CWE users to find.

Given how extensively DNS names are used, it seems reasonable for including 
this entry as a variant.


From: Kurt Seifried <k...@seifried.org>
Sent: Monday, January 24, 2022 11:50 AM
To: CWE Research Discussion <cwe-research-list@mitre.org>
Subject: New CWE for DNS domain normalization/canonicalization with trailing dot

New CWE for DNS domain normalization/canonicalization with trailing dot

So we have:

which are both, broadly speaking, catch-all buckets too broad to be of much 

I would like to propose a CWE for "Failure to properly handle DNS names with or 
without a trailing dot", e.g.:


and Sweden accidentally broke DNS for .se back in 2009 with a dot:

And various projects having issues with this spanning many years:

Kurt Seifried (He/Him)

Reply via email to