Hi friends, I just wanted to make you all aware of what happened over the weekend.
On Sunday afternoon, Harry Sintonenen made us aware that several security related websites posted articles about the "CRITICAL curl security flaw".
We announced that as severity LOW earlier this week. How and why did this massive severiy level bump happen?
The job that was done by NVD in the past, setting CVSS scores on published CVEs, is nowadays done by CISA (Cybersecurity and Infrastructure Security Agency) as they are now an "ADP" (Authorized Data Publisher) within the CVE program.
They are the new know-it-all organization and will quickly fill in some values in a CVSS caluculator and set that for CVEs. I presume for CVEs that are lacking the score.
CISA has a github repository [2] with all their data and in there we can see how they committed info for CVE-2024-11053 [1] on December 11.
15:01 yesterday I posted on Mastodon [3] that this CVE is certainly not a critical security problem, and shortly thereafter at 15:42 I submitted a PR [4] to CISA to update the metadata to something more reasonable. I figured 5.3 could possibly work.
At 18:13, CISA instead pushed an update [5] that was not my PR. It lowered the score even further; all the way down to 3.4. I then closed my PR once I realized this happened.
Unfortunately, few of those alarmist websites probably will update after this update so I suspect we will see this CRITICAL label floating around for a while. Now you know how it happened.
Now, enjoy your Monday! [1] = https://github.com/cisagov/vulnrichment/blob/develop/2024/11xxx/CVE-2024-11053.json [2] = https://github.com/cisagov/vulnrichment [3] = https://mastodon.social/@bagder/113657205050547339 [4] = https://github.com/cisagov/vulnrichment/pull/151 [5] = https://github.com/cisagov/vulnrichment/commit/91fadb2bf6b461638c8155978b9f20cf17e51fe3 -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
