daniel:// stenberg://Aug 25, 2023

"CVE-2020-19909 is everything that is wrong with CVEs"

A claimed "9.8 CRITICAL" flaw in #curl that does not exist.

https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/

CVE-2020-19909 is everything that is wrong with CVEs

This is a story consisting of several little building blocks and they occurred spread out in time and in different places. It is a story that shows with clarity how our current system with CVE Ids and lots of power given to NVD is a completely broken system. CVE-2020-19909 On August 25 2023, we got … Continue reading CVE-2020-19909 is everything that is wrong with CVEs →

daniel.haxx.se
Show threadKevin Bowen (has moved) 

@bagder #pytest seems to have had another similar abuse, recently, of the #CVE system that caused a great deal of churn for their project:

https://github.com/pytest-dev/py/issues/287

I guess there are some new folks to the 'security' field who look to score points by filing vulnerability reports without considering the consequences, or impact.

ReDoS vulnerability in svnurl.py · Issue #287 · pytest-dev/py

Good night! I found that this regex is vulnerable to Regular Expression Denial of Service. PoC: >>> from py._path.svnurl import InfoSvnCommand >>> payl = " 2256 hpk 165 Nov 24 17:55 __init__.py" + ...

GitHub
Aug 26, 2023 at 8:23amWeb