Bugzilla – Bug 1214495
VUL-0: CVE-2020-19909: curl: Integer overflow vulnerability in tool_operate.c via crafted value as the retry delay.
Last modified: 2023-08-28 13:36:16 UTC
CVE-2020-19909 Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via crafted value as the retry delay. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-19909 https://www.cve.org/CVERecord?id=CVE-2020-19909 https://github.com/curl/curl/pull/4166
FTR: The issue was fixed back in 2019 via the same patch submitted here by Pedro and upstream never consider it a security bug [0], indeed they add it to a "Bogus security vulnerabilities" section in their security advisories page [1]. [0] https://curl.se/docs/CVE-2020-19909.html [1] https://curl.se/docs/security.html
More details from Daniel's personal blog [0]. [0] https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/
Now disputed in Mitre [0] and NVD [1]. Hence, I flag it as invalid on our internal vulnerability tracker. [0] https://www.cve.org/CVERecord?id=CVE-2020-19909 [1] https://nvd.nist.gov/vuln/detail/CVE-2020-19909
closing as invalid.