I see what you’re saying about the CWE-14[0-6] family being pretty limited to input processing when the issue could exist because of input or malformed output. Perhaps changing these to input/output would be more inclusive of this type of issue. Good catch.
From: Kurt Seifried <k...@seifried.org> Sent: Friday, July 1, 2022 8:37 PM To: CWE-RESEARCH-LIST CWE RESEARCH DISCUSSION <CWE-RESEARCH-LIST@mitre.org> Subject: [Non-DoD Source] Is there a CWE for this? I ran across this today while auditing CSA services quarterly: In bl.ink URL redirection service, as of 2022-07-01 an improperly formatted security header exists in the HSTS support, specifically, the header served is \"strict-transport-security: max-age=63072000; includeSubdomains;\" which contains an extra semicolon (the final one is not needed), this may result in some client ignoring the HSTS header and thus rendering this security protection ineffective. there's some stuff for inbound/input/malformed/configuration/directive/etc, but I'm not seeing anything for malformed outbound configuration/output. -- Kurt Seifried (He/Him) k...@seifried.org <mailto:k...@seifried.org>
smime.p7s
Description: S/MIME cryptographic signature