Ryan HamelJun 1, 2023
daniel:// stenberg://

CVE-2023-27536

Announced by the #curl project back in March 2023. We deem it severity Low. https://curl.se/docs/CVE-2023-27536.html

NVD, in their infinite wisdom, thinks this is a CRITICAL 9.8 flaw: https://nvd.nist.gov/vuln/detail/CVE-2023-27536

I wish I knew how to fix this annoying problem but talking or whining to NVD certainly does not seem to help.

curl - GSS delegation too eager connection re-use - CVE-2023-27536

May 31, 2023 at 6:46amWeb
Show threaddaniel:// stenberg://May 31, 2023

After my complaint the NVD has "downgraded" it to a 7.5 (high).

My response: you are scaremongering. It is not a high either.

Show threadGregory P. Smith (he/him)  🚲🦝 May 31, 2023

@bagder 100% agreed that the CVSS scoring system and "assume the worst" guidance makes for scores that do not accurately reflect importance. Especially for very broad-use things.

My take on this is that, like it or not, more open source projects of note need to become "CNA" (certificate numbering authorities) of their own which I understand can given them some control over the content of CVEs filed against their project. https://www.cve.org/ProgramOrganization/CNAs

#cve #cvss #cna #oss

CVE Website

Show threadUncaught SyntaxError: Unexpected end of JSON input at 0:214May 31, 2023
@bagder "unauthorized access to sensitive information" (from NVD)
Show threaddaniel:// stenberg://May 31, 2023
@foxxo yes?
Show threadUncaught SyntaxError: Unexpected end of JSON input at 0:214May 31, 2023
@bagder It's understandable why they marked it as critical with that description. I feel like if there is the phrase "sensitive information" in the description, NVD will mark it as critical.
Show threadAlexMay 31, 2023
@bagder
I think they wisened up some more and started serving a 503 for that link instead heh
Show threadJoelMay 31, 2023
@bagder I feel your frustration. I've been dragged into the CVE mess recently for Linux kernel issues. So many low quality reports, and incorrect conclusions about exploitability. It's a huge time sink for orgs that are told they must act on every CVE.