CVE-2023-38039

CVSS v3.1 7.5 (High)

EPSS 1.12 % (85^th)

Affected Products 10

Advisories 13

When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers it would
accept in a response, allowing a malicious server to stream an endless series
of headers and eventually cause curl to run out of heap memory.

Weaknesses

CWE-770: Allocation of Resources Without Limits or Throttling

CVE Status: PUBLISHED
CNA: HackerOne
Published Date: 2023-09-15 04:15:10
(12 months ago)
Updated Date: 2024-04-01 15:45:33
(5 months ago)

Affected Products

Fedoraproject

Fedora

Haxx

Curl

Microsoft

Configuration #1

		CPE23	From	Up To
	Haxx Curl from 7.84.0 version and prior 8.3.0 version	cpe:2.3:a:haxx:curl	>= 7.84.0	< 8.3.0

Configuration #2

		CPE23	From	Up To
	Fedoraproject Fedora 37	cpe:2.3:o:fedoraproject:fedora:37
	Fedoraproject Fedora 38	cpe:2.3:o:fedoraproject:fedora:38
	Fedoraproject Fedora 39	cpe:2.3:o:fedoraproject:fedora:39

Configuration #3

	CPE23	Up To
Microsoft Windows 10 1809 prior 10.0.17763.5122 version	cpe:2.3:o:microsoft:windows_10_1809	< 10.0.17763.5122
Microsoft Windows 10 21h2 prior 10.0.19044.3693 version	cpe:2.3:o:microsoft:windows_10_21h2	< 10.0.19044.3693
Microsoft Windows 10 22h2 prior 10.0.19045.3693 version	cpe:2.3:o:microsoft:windows_10_22h2	< 10.0.19045.3693
Microsoft Windows 11 21h2 prior 10.0.22000.2600 version	cpe:2.3:o:microsoft:windows_11_21h2	< 10.0.22000.2600
Microsoft Windows 11 22h2 prior 10.0.22621.2715 version	cpe:2.3:o:microsoft:windows_11_22h2	< 10.0.22621.2715
Microsoft Windows 11 23h2 prior 10.0.22631.2715 version	cpe:2.3:o:microsoft:windows_11_23h2	< 10.0.22631.2715
Microsoft Windows Server 2019 prior 10.0.17763.5122 version	cpe:2.3:o:microsoft:windows_server_2019	< 10.0.17763.5122
Microsoft Windows Server 2022 prior 10.0.20348.2113 version	cpe:2.3:o:microsoft:windows_server_2022	< 10.0.20348.2113