Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO Web Site Info
Protocols
alt-svc CA Extract HSTS HTTP cookies HTTP/2 HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Nums Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / Bogus report filed by anonymous
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Vulnerability Disclosure
Vulnerabilities Table

CVE-2020-19909

Bogus report filed by anonymous

Project curl Security Dismissal, August 26 2023 - Permalink

VULNERABILITY

None. CVE-2020-19909 was filed and made public by an anonymous person due to incompetence or malice. We cannot say which and the distinction does not matter to us.

The original description says:

"Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via crafted value as the retry delay."

REJECTION DENIED

We requested MITRE to reject the CVE on the basis that it is not a security vulnerability. MITRE, in their infinite wisdom, denied the rejection with the following motivation:

"After review there are multiple perspectives on whether the issue information is helpful to consumers of the CVE List, our current preference is in the direction of keeping the CVE ID assignment. There is a valid weakness (integer overflow) that can lead to a valid security impact (denial of service, based on retrying network traffic much more often than is documented/requested). The record has been flagged as DISPUTED and the views have been recorded as a NOTE in the record as well. This request will now be closed."

INFO

CVE-2020-19909 was filed on August 22 2023. Its existence was reported to us on August 25.

The issue was initially reported to the curl security team and determined not a security vulnerability, on July 27 2019. It was determined to be a "plain bug".

The bug was fixed on July 29, 2019.

The bugfix was shipped in curl 7.66.0. Released on September 11, 2019.

AFFECTED VERSIONS

It does not affect any version. It is not a security problem. It was a bug that we fixed in mid 2019.

SOLUTION

Relax. Use curl as usual.

RECOMMENDATIONS

Do not blindly trust the CVE system. It is full of cracks and bogus reports such as CVE-2020-19909.

TIMELINE

This CVE was made public on August 22 2023. We were notified about it on August 25. Daniel wrote an explanatory blog post early August 26.

CREDITS

Thanks a lot!