CVE-2020-19909
published 2023-08-22CVE-2020-19909: Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct…
PriorityP49low3.3CVSS 3.1
AVLACLPRLUINSUCNINAL
EPSS
0.02%
5.1th percentile
Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct security impact on the curl user; however, it may (in theory) cause a denial of service to associated systems or networks if, for example, --retry-delay is misinterpreted as a value much smaller than what was intended. This is not especially plausible because the overflow only happens if the user was trying to specify that curl should wait weeks (or longer) before trying to recover from a transient error.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | curl | < curl 7.66.0-1 (bookworm) | curl 7.66.0-1 (bookworm) |
| haxx | curl | — | — |
| haxx | curl | >= 0 < 7.66.0-1 | 7.66.0-1 |
| haxx | curl | >= 0 < 7.66.0-1 | 7.66.0-1 |
| haxx | curl | >= 0 < 7.66.0-1 | 7.66.0-1 |
| haxx | curl | >= 0 < 7.66.0-1 | 7.66.0-1 |
| haxx | curl | >= 0 < 7.68.0-1ubuntu2.19 | 7.68.0-1ubuntu2.19 |
CVSS provenance
nvdv3.13.3LOWCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
osv3.3LOW
vendor_debian3.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2020-19909: Integer overflow vulnerability in tool_operate
osv·2023-08-22·CVSS 3.3
CVE-2020-19909 [LOW] CVE-2020-19909: Integer overflow vulnerability in tool_operate
Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct security impact on the curl user; however, it may (in theory) cause a denial of service to associated systems or networks if, for example, --retry-delay is misinterpreted as a value much smaller than what was intended. This is not especially plausible because the overflow only happens if the user was trying to specify that curl should wait weeks (or longer) before trying to recover from a transient error.
OSV
CVE-2020-19909: ** DISPUTED ** Integer overflow vulnerability in tool_operate
osv·2023-08-22·CVSS 3.3
CVE-2020-19909 [LOW] CVE-2020-19909: ** DISPUTED ** Integer overflow vulnerability in tool_operate
** DISPUTED ** Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct security impact on the curl user; however, it may (in theory) cause a denial of service to associated systems or networks if, for example, --retry-delay is misinterpreted as a value much smaller than what was intended. This is not especially plausible because the overflow only happens if the user was trying to specify that curl should wait weeks (or longer) before trying to recover from a transient error.
GHSA
GHSA-2792-x8v5-77wp: Integer overflow vulnerability in tool_operate
ghsa_unreviewed·2023-08-22
CVE-2020-19909 [LOW] CWE-190 GHSA-2792-x8v5-77wp: Integer overflow vulnerability in tool_operate
Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via crafted value as the retry delay.
CISA ICS
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
cisa_ics·2023-12-14
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
ICS Advisory
##
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
Release DateDecember 14, 2023
Alert CodeICSA-23-348-10
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
- Vulnerabilities: Improper Restriction of XML External Entity Reference, Time-of-check Time-of-use (TOCTOU) Race Condition, Command Injection, Miss
Debian
CVE-2020-19909: curl - Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large valu...
vendor_debian·2020·CVSS 3.3
CVE-2020-19909 [LOW] CVE-2020-19909: curl - Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large valu...
Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct security impact on the curl user; however, it may (in theory) cause a denial of service to associated systems or networks if, for example, --retry-delay is misinterpreted as a value much smaller than what was intended. This is not especially plausible because the overflow only happens if the user was trying to specify that curl should wait weeks (or longer) before trying to recover from a transient error.
Scope: local
bookworm: resolved (fixed in 7.66.0-1)
bullseye: resolved (fixed in 7.66.0-1)
forky: resolved (fixed in 7.66.0-1)
sid: resolved (fixed in 7.66.0-1)
trixie: resolved (fixed in 7.66.0-1)
No detection rules found.
No public exploits indexed.
2023-08-22
Published