daniel:// stenberg://Aug 25, 2023

"CVE-2020-19909 is everything that is wrong with CVEs"

A claimed "9.8 CRITICAL" flaw in #curl that does not exist.

https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/

CVE-2020-19909 is everything that is wrong with CVEs

This is a story consisting of several little building blocks and they occurred spread out in time and in different places. It is a story that shows with clarity how our current system with CVE Ids and lots of power given to NVD is a completely broken system. CVE-2020-19909 On August 25 2023, we got … Continue reading CVE-2020-19909 is everything that is wrong with CVEs →

daniel.haxx.se
Show threadStanislav OchotnickýAug 25, 2023

@bagder that cvss vector makes no sense either. No wonder they came up with that score.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show threadFennix 

@drizzy @bagder I enjoy UI:N for a command-line tool where the bug (not vulnerability) is a specific flag you have to use.

This seems maliciously done by whomever reported it as a security issue in the first place IMO. NVD is a bit of a silly middleman pushing papers but I have no idea how TF they came up with that scoring.

Aug 26, 2023 at 4:39amWeb