undefined | Better HN

0 pointstechnion2y ago0 comments

For the most part it's not common to be able to make a server call curl with an arbitrary server which is usually required to exploit this sort of thing. There will be some vulnerable apps, but the vast majority of servers with this vulnerability present won't be exploitable in any practical sense.

0 comments

worksonmine2y ago

You have to consider the author of curl has recently been vocal against CVE scoring for vulnerabilities that require very specific conditions or user stupidity to trigger. For him to come out with "the one rated HIGH is probably the worst curl security flaw in a long time" most likely means it's bad.

tyingq2y ago

I agree at a high level, but there are spaces where it would be common. CI/CD servers as one example. Or any wordpress server.

fer2y ago

Sure. Or you can get an RCE on a car[0] after some bitsquatting[1].

[0] https://daniel.haxx.se/blog/2018/02/16/why-is-your-email-in-...

[1] https://en.wikipedia.org/wiki/Bitsquatting

dzhiurgis2y ago

Cars entertainment system, not car itself

j / k navigate · click thread line to collapse