What is the authoritative source for CWE-172?

Encoding Error (CWE-172) is catalogued in MITRE CWE and curated for EU compliance use cases by SQUR.

ClassDraft

CWE-172Encoding Error

Category: other

The product does not properly encode or decode the data, resulting in unexpected values.

[Implementation]
[Implementation]While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).
[Implementation]Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Type	Target	Confidence	Tier
AttackPattern	Double Encodingcapec-120	100%	live
AttackPattern	Postfix, Null Terminate, and Backslashcapec-53	100%	live
AttackPattern	Using UTF-8 Encoding to Bypass Validation Logiccapec-80	100%	live
AttackPattern	Using Slashes and URL Encoding Combined to Bypass Validation Logiccapec-64	100%	live
AttackPattern	Using Unicode Encoding to Bypass Validation Logiccapec-71	100%	live
AttackPattern	Using Escaped Slashes in Alternate Encodingcapec-78	100%	live
AttackPattern	Using Leading 'Ghost' Character Sequences to Bypass Input Filterscapec-3	100%	live
AttackPattern	URL Encodingcapec-72	100%	live
AttackPattern	Embedding NULL Bytescapec-52	100%	live
AttackPattern	Leverage Alternate Encodingcapec-267	100%	live