curl / Mailing Lists / curl-library / Single Mail

Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

CVE-2020-19909 possibly released without curl's authors ack (yet another NVD Critical)

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Samuel Henrique via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 25 Aug 2023 20:30:17 +0100

I wanted to let you know that there's a recent curl CVE published and
it doesn't look like it was acknowledged by the curl authors since
it's not mentioned in the curl website:
CVE-2020-19909

Note that the "2020" in the CVE ID is likely to be the year the report
was submitted to the CNA (not sure who processed this), but it became
public only this week.

You won't be surprised to know that NVD rated it as a "Critical":
https://nvd.nist.gov/vuln/detail/CVE-2020-19909

The CVE's description says:
> Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via crafted value as the retry delay.

And it points to:
https://github.com/curl/curl/pull/4166

Cheers,

-- 
Samuel Henrique <samueloph>
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html

Received on 2023-08-25

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]