A CVE Dispute
6 hours ago
- #Curl Project
- #CVE Management
- #Security Vulnerability
- Curl project became a CNA, allowing them to assign their own CVE identifiers.
- They have published 57 CVEs since becoming a CNA, emphasizing ease of issuance.
- Curl's process includes assessing reports and grading severity as LOW, MEDIUM, HIGH, or CRITICAL.
- Some issues are considered 'lower than LOW' and not given a CVE to avoid unnecessary security alerts.
- CVEs carry a high ecosystem cost due to curl's widespread installations, requiring responsible use.
- A dispute arose over a bug in curl's hostname matching with a leading dot; MITRE sided with curl's decision not to assign a CVE.
- The bug involved rare conditions, requiring a local attacker and specific configurations, deemed too unlikely to be a vulnerability.