daniel:// stenberg://Aug 25, 2023

"CVE-2020-19909 is everything that is wrong with CVEs"

A claimed "9.8 CRITICAL" flaw in #curl that does not exist.

https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/

CVE-2020-19909 is everything that is wrong with CVEs

This is a story consisting of several little building blocks and they occurred spread out in time and in different places. It is a story that shows with clarity how our current system with CVE Ids and lots of power given to NVD is a completely broken system. CVE-2020-19909 On August 25 2023, we got … Continue reading CVE-2020-19909 is everything that is wrong with CVEs →

daniel.haxx.se
Show threadMaxAug 25, 2023
@bagder be grateful they didn’t rate it a 9.9 😉 ever wondered what kind of “security incident” would warrant a solid 10.0 for curl? 😄
Show threadphi1997
@maxbob
If you point curl at a URL with malicious code, you can download malicious code
@bagder
Aug 25, 2023 at 11:56pmFedilab
Show threadPeter Jakobs ⛵Aug 26, 2023

@phi1997 @maxbob @bagder but that would still require user intervention, running curl that is, which afaik would not qualify for a 10

(and - as my brain is still a bit slower than my fingers, I noticed the cynicism in your reply)