List of CWE for "state of exploitation" value PoC "the vulnerability has a well-known method of exploitation."

[j---]

Create a draft list of CWE-IDs where this condition described in the text holds.
Goal is to get a first pass done, it will be hard to be exhaustive the list can always be refined later.
Proposed format for the file is CSV with two fields
CWE-ID,URL of open-source project that captures the well-known method of exploitation

For example, if it is on-path attacker TLS certificate interception,
CWE-ID-300,http://www.squid-cache.org/Versions/

Reading the CWE documentation on this raises some issues.
https://cwe.mitre.org/data/definitions/300.html

CWE-ID-300 is about all on-path attacker scenarios, not just TLS.
This is partly good -- Squid can also proxy HTTP or FTP, for example. If CWE-ID-300 also applies to email client/server authentication, then squid isn't sufficient evidence to cover that. NGINX does seem to cover that, so it isn't a problem as far as listing the CWE as meeting the requirements for the "state of exploitation" criteria. But we might want to add another line

CWE-ID-300,https://www.nginx.com/resources/wiki/start/topics/examples/imapproxyexample/

I'm happy for us to have multiple lines of evidence supporting one CWE-ID. The thing we really need to flag is example CVE-IDs that match the CWE-ID but do not match the intended "state of exploitation" criteria of "well-known method of exploitation." I can't think of one for on-path attacker. If there end up being CWE-IDs where the answer to the "state of exploitation" criteria here is "sometimes" then we will discuss how to handle that then. For now, I want to see how much value we can add by create the list of "definitely yes" CWEs for the question "well-known method of exploitation" and see if that is useful, and we can go from there.

[j---]

In addition to or instead of CWEs, CAPEC may be a useful identifier. For example, https://capec.mitre.org/data/definitions/94.html is on-path attacker in general. Perhaps we could get the right amount of precision by saying if (CWE-300 AND CAPEC-94). But will need to look into data quality / availability to see if that is practicable right now.

[zmanion]

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Is this common and simple enough? This can sometimes get complicated or non-obvious, e.g., multiple encodings.

[j---]

Is this common and simple enough?

Maybe. I think the answer to this is "what is the open-source tool or system that makes the exploitation of CWE-22 trivial"?
In my CWE-300 example, I identified Squid. I know an attacker would need to expertise to be able to configure Squid, but the point is the tool is available and the config details you might need are usually present in a vul description for something that is an instance of CWE-300. Can you connect the dots for us on CWE-22?