Gregory's Server"CVE-2020-19909 is everything that is wrong with CVEs"
A claimed "9.8 CRITICAL" flaw in #curl that does not exist.
https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/
 22 comments
@dbanty I'm not that familiar with all the processes and details to tell.People tend to tell me "you should become your own CNA" as if that makes things better, but I have no idea. And also seems like a complicated way as surely not everyone can be CNAs. This system clearly needs fixing though.    @thememesniper@wetdry.world @maxbob@det.social @bagder@mastodon.social no joke i've actually seen someone do this in their grub config We have enough problems with NVD inflating our *real* issues, doing the same thing with imaginary issues is so next level. IT HURTS DEEP IN MY SOUL. @bagder maybe the severity of this issue is so negative that it causes NVD to run into an integer overflow of their own? 😂 @bagder I've called out a few bogus CVEs like this. There was one where after it was closed and rejected, it was filed AGAIN when the version bumped on GitHub. Article: @bagder that cvss vector makes no sense either. No wonder they came up with that score. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H @drizzy @bagder I enjoy UI:N for a command-line tool where the bug (not vulnerability) is a specific flag you have to use. This seems maliciously done by whomever reported it as a security issue in the first place IMO. NVD is a bit of a silly middleman pushing papers but I have no idea how TF they came up with that scoring. @bagder Reminds me of when I looked into a high severity code execution vulnerability in Notepad++ (with its own CVE of course) for a university course assignment, which allegedly worked by simply opening a maliciously crafted file. The “high severity exploit” was simply generating an exception in a C++ std function and crashing. The vulnerability did not exist and I’m still mad about the time I wasted on it. 🥲  @bagder there was something similar with the h2 dB system within the last few weeks, CVE-2022-45868. @bagder As a way of saying how old I am without saying how old I am. Mitre used to have a mechanism that potential issues were assigned a CAN-number. Then the elite would vote if it was indeed a vulnerability. If so, a CAN would become a CVE. Of course this soon became a mess as the CANs piled up and checking if a CAN ended up as CVE just for reference became a dreadful chore. I guess you’re on the accepted risk end of the choice made to end the CAN/CVE naming and stick with CVE. |
@bagder can you see any path forward where maintainers who want to could have a bigger role in maintaining their CVE list? Has NIST or would NIST consider such a thing, or would we need a whole new platform? Is there already a better alternative we could start preferring?