Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2023-38039

Опубликовано: 15 сент. 2023
Источник: debian

Описание

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
curlfixed8.3.0-1package
curlfixed7.88.1-10+deb12u3bookwormpackage
curlnot-affectedbullseyepackage
curlnot-affectedbusterpackage

Примечания

  • https://www.openwall.com/lists/oss-security/2023/09/13/1

  • https://curl.se/docs/CVE-2023-38039.html

  • Introduced by: https://github.com/curl/curl/commit/7c8c723682d524ac9580b9ca3b71419163cb5660 (curl-7_83_0)

  • Experimental tag removed in: https://github.com/curl/curl/commit/4d94fac9f0d1dd02b8308291e4c47651142dc28b (curl-7_84_0)

  • Fixed by: https://github.com/curl/curl/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770 (curl-8_3_0)

Связанные уязвимости

ubuntu логотип

CVE-2023-38039

CVSS3: 7.5
ubuntu
почти 2 года назад

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

redhat логотип

CVE-2023-38039

CVSS3: 7.5
redhat
почти 2 года назад

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

nvd логотип

CVE-2023-38039

CVSS3: 7.5
nvd
почти 2 года назад

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

msrc логотип

CVE-2023-38039

msrc
больше 1 года назад

Hackerone: CVE-2023-38039 HTTP headers eat all memory

suse-cvrf логотип

SUSE-SU-2023:3823-1

suse-cvrf
больше 1 года назад

Security update for curl