Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-38039

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

Published

2023-09-15T04:15:10.127

Last Modified

2024-11-21T08:12:43.457

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Primary
CWE-770

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	haxx	curl	< 8.3.0	Yes
Operating System	fedoraproject	fedora	37	Yes
Operating System	fedoraproject	fedora	38	Yes
Operating System	fedoraproject	fedora	39	Yes
Operating System	microsoft	windows_10_1809	< 10.0.17763.5122	Yes
Operating System	microsoft	windows_10_21h2	< 10.0.19044.3693	Yes
Operating System	microsoft	windows_10_22h2	< 10.0.19045.3693	Yes
Operating System	microsoft	windows_11_21h2	< 10.0.22000.2600	Yes
Operating System	microsoft	windows_11_22h2	< 10.0.22621.2715	Yes
Operating System	microsoft	windows_11_23h2	< 10.0.22631.2715	Yes
Operating System	microsoft	windows_server_2019	< 10.0.17763.5122	Yes
Operating System	microsoft	windows_server_2022	< 10.0.20348.2113	Yes

References

http://seclists.org/fulldisclosure/2023/Oct/17 Mailing List, Third Party Advisory ([email protected])
http://seclists.org/fulldisclosure/2024/Jan/34 Mailing List, Third Party Advisory ([email protected])
http://seclists.org/fulldisclosure/2024/Jan/37 Mailing List, Third Party Advisory ([email protected])
http://seclists.org/fulldisclosure/2024/Jan/38 Mailing List, Third Party Advisory ([email protected])
https://hackerone.com/reports/2072338 Exploit, Issue Tracking, Patch, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/[email protected]/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/ Mailing List ([email protected])
https://lists.fedoraproject.org/archives/list/[email protected]/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/ Mailing List ([email protected])
https://lists.fedoraproject.org/archives/list/[email protected]/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/ Mailing List ([email protected])
https://security.gentoo.org/glsa/202310-12 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20231013-0005/ Third Party Advisory ([email protected])
https://support.apple.com/kb/HT214036 Third Party Advisory ([email protected])
https://support.apple.com/kb/HT214057 Third Party Advisory ([email protected])
https://support.apple.com/kb/HT214058 Third Party Advisory ([email protected])
https://support.apple.com/kb/HT214063 Third Party Advisory ([email protected])
https://www.insyde.com/security-pledge/SA-2023064 Third Party Advisory ([email protected])
http://seclists.org/fulldisclosure/2023/Oct/17 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2024/Jan/34 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2024/Jan/37 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2024/Jan/38 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/2072338 Exploit, Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/[email protected]/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/ Mailing List (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/[email protected]/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/ Mailing List (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/[email protected]/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/ Mailing List (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202310-12 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20231013-0005/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.apple.com/kb/HT214036 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.apple.com/kb/HT214057 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.apple.com/kb/HT214058 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.apple.com/kb/HT214063 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.insyde.com/security-pledge/SA-2023064 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)