Skip to main content

Another bogus #curl #CVE is now in the wild: cve.org/CVERecord?id=CVE-2023-…

cve-website

www.cve.org
#curl #cve
in reply to daniel:// stenberg://

jomo
jomo
sucks that you have to deal with this :(
Do you have any idea who is filing these and what their motivation is? Or do they believe these to be genuine bugs?
in reply to daniel:// stenberg://

Ondřej Surý
Ondřej Surý
WTH was this assigned a CVE?
in reply to Ondřej Surý

daniel:// stenberg://
daniel:// stenberg://
@ondrej it happened before we became CNA but yeah, there is clearly no filtering what so ever
@Ondřej Surý
in reply to daniel:// stenberg://

Ondřej Surý
Ondřej Surý

MITRE page contains a little bit more information: cve.mitre.org/cgi-bin/cvename.…

Hope this bullshit will not cease a little bit once you became your own CNA. There should be some penalty for people filling bogus CVEs with MITRE…

CVE - CVE-2023-52071

The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
cve.mitre.org
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://

We are going to try to reject it proper, but here is my take on it:

curl.se/docs/CVE-2023-52071.ht…

curl - Bogus report filed by anonymous - CVE-2023-52071

curl.se
in reply to daniel:// stenberg://

Josh Bressers
Josh Bressers
@hanno I thought the purpose of becoming a CNA was so they would send these requests to you instead of blindly filing them
@hanno
in reply to Josh Bressers

daniel:// stenberg://
daniel:// stenberg://
@joshbressers @hanno correct, but this was filed before we were accepted. We are now getting it assigned so I believe we will get the mandate to reject it... we'll soon find out!
@hanno @Josh Bressers
in reply to daniel:// stenberg://

🔗 David Sommerseth
🔗 David Sommerseth

@joshbressers @hanno

AFAIR, to reject it has a very high barrier, like not being relevant to the project it's assigned to at all. Or pointing at features/code paths not available and such things. Basically the content of CVE record is completely wrong, not the claim towards the project itself.

I would expect DISPUTED being the right solution, preferably with a URL to the detail why it's wrong.

There is a closed CVE slack where such things can be discussed, though.

@hanno @Josh Bressers
in reply to daniel:// stenberg://

Efraim Flashner
Efraim Flashner
I like the "Thanks a lot!" at the bottom. Both thanks for reading this and thanks for making me feel with this. 😜
in reply to daniel:// stenberg://

🔗 David Sommerseth
🔗 David Sommerseth

> The curl security team will work on getting this CVE rejected.

Good luck on that. At best, it will be labelled as "disputed".

I would recommend you to become a CNA yourself for curl. The general CVE policy is that any reporter need to first reach out to the appropriate CNA to get a CVE for an issue. A reporter can go to a root CNA too, but only after the project CNA has been reached. And there are some conflict resolution policy if the CNA and reporter disagrees.

It's a bit of "paperwork" and administrative steps to get approved as a CNA. You need to document security policies and processes and show you understand how CVE's are worded and registered. But I would expect curl to be in a good position to get approved.

We did that a while back in OpenVPN. And the tooling (in particular cvelib) makes it pretty easy to register and publish CVEs.

in reply to daniel:// stenberg://

Martin Peck
Martin Peck

This is perfect...

"We cannot say which and the distinction does not matter to us."

in reply to daniel:// stenberg://

0ddj0bb
0ddj0bb

"Do not blindly trust the CVE system. It is full of cracks and bogus reports such as CVE-2023-52071."

Okay that seems a bit extreme. Sure do your research seems verify stuff but is it really full of bogus reports?

in reply to 0ddj0bb

daniel:// stenberg://
daniel:// stenberg://
@0ddj0bb yes it is. Numerous projects get the same kind of crap. This is not an isolated case. I can't say numbers, but I would say there are easily hundreds of equally bad/bogus ones.
@0ddj0bb
in reply to daniel:// stenberg://

0ddj0bb
0ddj0bb

i wouldn't call 5.8% of cves to be "full" of junk.

Maybe I'm just focusing too much on full there. Just seems unnecessary hyperbole that tries to call the entire nvd into question on its credibility.

It does seem nvd does respond well to rejection process.

in reply to 0ddj0bb

daniel:// stenberg://
daniel:// stenberg://
@0ddj0bb NVD does not reject things at all. If MITRE does not reject a CVE, NVD will host it. Been there, tried that.
@0ddj0bb
in reply to daniel:// stenberg://

0ddj0bb
0ddj0bb
they've rejected over 13000 cves. So i can't find that they don't reject anything.
in reply to 0ddj0bb

daniel:// stenberg://
daniel:// stenberg://
that says there are 13,000 rejected ones. Not that NVD rejected them.
This entry was edited (9 months ago)
in reply to daniel:// stenberg://

Yaksh Bariya
Yaksh Bariya
AFAIK this is the second totally bogus CVE for curl! I'm not happy with the people who are doing this. This needs to be stopped ASAP
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://
first email arrived asking me about the "new CVE" ...
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://
and look what "they" do with it: vuldb.com/?id.252369
in reply to daniel:// stenberg://

Lars Wirzenius
Lars Wirzenius
Wait, what? I can get up to 5 kilodollars for reporting bugs that curl has already fixed as new security issues and providing the patch, that curl has already made, as a fix? Where do I sign up? I could start buying LEGO if this works.
in reply to daniel:// stenberg://

freund
freund

I like how the description is just straight up wrong:

"The product uses untrusted input when calculating or using an array index, [...]",

when the patch they even refer to makes it obvious that there is no input involved at all.

in reply to daniel:// stenberg://

Fabian ¯\_(ツ)_/¯
Fabian ¯\_(ツ)_/¯
"Hey David, the security of our users is our top priority! Please tell me in all details how you plan to fix this vulnerability in our systems."