We’ve noted this request to add a new entry to CWE. MITRE’s content submission guidelines at https://cwe.mitre.org/community/submissions/guidelines.html<https://cwe.mitre.org/community/submissions/guidelines.html#problems> note that minimum expectations for content submissions should include Name, Summary, Extended Description, Modes of Introduction, Potential Mitigations, Common Consequences, Applicable Platforms, Demonstrative Examples, Observed Examples, Relationships, and References. Incomplete submissions are frequently a cause of delays for integration into CWE.
Regarding this specific weakness, I agree that CWE-20 and CWE-180 are not ideal. It is probably better placed under CWE-706: Use of Incorrectly-Resolved Name or Reference, where an identifier can be provided that points to an unexpected resource. Common examples are pathname equivalence CWE-42 for a trailing “.”, CWE-52 with a trailing slash, and CWE-58 for Windows 8.3 format filenames. CWE probably does not use the “canonicalization” term as often as it should, which hurts the ability for users to discover this. Changes will need to be made to CWE content to make this kind of problem easier for CWE users to find. Given how extensively DNS names are used, it seems reasonable for including this entry as a variant. Thanks, Steve From: Kurt Seifried <k...@seifried.org> Sent: Monday, January 24, 2022 11:50 AM To: CWE Research Discussion <cwe-research-list@mitre.org> Subject: New CWE for DNS domain normalization/canonicalization with trailing dot New CWE for DNS domain normalization/canonicalization with trailing dot So we have: https://cwe.mitre.org/data/definitions/20.html https://cwe.mitre.org/data/definitions/180.html which are both, broadly speaking, catch-all buckets too broad to be of much help. I would like to propose a CWE for "Failure to properly handle DNS names with or without a trailing dot", e.g.: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0832 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4963 and Sweden accidentally broke DNS for .se back in 2009 with a dot: https://www.computerworld.com/article/2529045/missing-dot-drops-sweden-off-the-internet.html And various projects having issues with this spanning many years: https://bugs.python.org/issue31997 https://github.com/openssl/openssl/issues/11560 -- Kurt Seifried (He/Him) k...@seifried.org<mailto:k...@seifried.org>
