Уязвимость недостаточной обработки цепочек компрессии в cURL, позволяющая вызвать эксплуатацию "malloc bomb"
Описание
В curl существует уязвимость, связанная с поддержкой "цепочных" алгоритмов компрессии HTTP. Это означает, что ответ от сервера может быть сжат несколько раз с использованием различных алгоритмов. В данной реализации отсутствует ограничение на количество "звеньев" в данной "цепочке декомпрессии", что позволяет вредоносному серверу вставить практически неограниченное количество шагов компрессии. Использование такой цепочки декомпрессии может привести к ситуации, известной как "malloc bomb", при которой cURL расходует огромные объемы памяти кучи или возвращает ошибки недостатка памяти.
Затронутые версии ПО
- curl версий до 7.84.0
Тип уязвимости
malloc bomb
Ссылки
- Mailing ListThird Party Advisory
- Mailing ListThird Party Advisory
- Mailing ListThird Party Advisory
- PatchThird Party Advisory
- ExploitThird Party Advisory
- Mailing ListThird Party Advisory
- Mailing ListThird Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Mailing ListThird Party Advisory
- Mailing ListThird Party Advisory
- Mailing ListThird Party Advisory
- PatchThird Party Advisory
- ExploitThird Party Advisory
- Mailing ListThird Party Advisory
- Mailing ListThird Party Advisory
- Third Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Одно из
Одно из
Одновременно
Одновременно
Одновременно
Одновременно
Одновременно
Одновременно
Одновременно
Одновременно
Одновременно
Одновременно
Одновременно
Одно из
EPSS
6.5 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
Связанные уязвимости
curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.
curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.
curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning ...
curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.
EPSS
6.5 Medium
CVSS3
4.3 Medium
CVSS2