[technion]

For the most part it's not common to be able to make a server call curl with an arbitrary server which is usually required to exploit this sort of thing. There will be some vulnerable apps, but the vast majority of servers with this vulnerability present won't be exploitable in any practical sense.

[worksonmine]

You have to consider the author of curl has recently been vocal against CVE scoring for vulnerabilities that require very specific conditions or user stupidity to trigger. For him to come out with "the one rated HIGH is probably the worst curl security flaw in a long time" most likely means it's bad.

[tyingq]

I agree at a high level, but there are spaces where it would be common. CI/CD servers as one example. Or any wordpress server.

[fer]

Sure. Or you can get an RCE on a car[0] after some bitsquatting[1].

[0] https://daniel.haxx.se/blog/2018/02/16/why-is-your-email-in-...

[1] https://en.wikipedia.org/wiki/Bitsquatting

[dzhiurgis]

Cars entertainment system, not car itself