daniel:// stenberg://May 31, 2023

CVE-2023-27536

Announced by the #curl project back in March 2023. We deem it severity Low. https://curl.se/docs/CVE-2023-27536.html

NVD, in their infinite wisdom, thinks this is a CRITICAL 9.8 flaw: https://nvd.nist.gov/vuln/detail/CVE-2023-27536

I wish I knew how to fix this annoying problem but talking or whining to NVD certainly does not seem to help.

curl - GSS delegation too eager connection re-use - CVE-2023-27536

Show threadJoel
@bagder I feel your frustration. I've been dragged into the CVE mess recently for Linux kernel issues. So many low quality reports, and incorrect conclusions about exploitability. It's a huge time sink for orgs that are told they must act on every CVE.
May 31, 2023 at 10:23pmWeb