Published: 15/09/2023 Updated: 01/04/2024

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 0

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

Vulnerable Product	Search on Vulmon	Subscribe to Product
haxx curl
fedoraproject fedora 37
fedoraproject fedora 38
fedoraproject fedora 39
microsoft windows 10 22h2
microsoft windows 11 21h2
microsoft windows 11 22h2
microsoft windows 11 23h2
microsoft windows 10 1809
microsoft windows server 2019
microsoft windows server 2022
microsoft windows 10 21h2

概述 Important: Red Hat JBoss Core Services Apache HTTP Server 2457 SP2 security update 类型/严重性 Security Advisory: Important 标题 Red Hat JBoss Core Services Apache HTTP Server 2457 Service Pack 2 is now availableRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability S ...

概述 Important: Red Hat JBoss Core Services Apache HTTP Server 2457 SP2 security update 类型/严重性 Security Advisory: Important Red Hat Insights 补丁分析识别并修复受此公告影响的系统。查看受影响的系统标题 An update is now available for Red Hat JBoss Core ServicesRed Hat Product Security has ...

HTTP headers eat all memory NOTE: wwwopenwallcom/lists/oss-security/2023/09/13/1NOTE: curlse/docs/CVE-2023-38039htmlNOTE: Introduced by: githubcom/curl/curl/commit/7c8c723682d524ac9580b9ca3b71419163cb5660 (curl-7_83_0)NOTE: Experimental tag removed in: githubcom/curl/curl/commit/4d94fac9f0d1dd02b8308291e4c47651 ...

DescriptionThe MITRE CVE dictionary describes this issue as: When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series o ...

Check Point Reference: CPAI-2023-1392 Date Published: 19 Dec 2023 Severity: High ...

About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security releases page Apple security documents reference vulnerabilities by CVE-ID whe ...

Critical Infrastructure Sectors: Critical Manufacturing

CWE-770 https://hackerone.com/reports/2072338 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20231013-0005/http://seclists.org/fulldisclosure/2023/Oct/17 https://www.insyde.com/security-pledge/SA-2023064 https://support.apple.com/kb/HT214063 https://support.apple.com/kb/HT214057 https://support.apple.com/kb/HT214058 https://support.apple.com/kb/HT214036 http://seclists.org/fulldisclosure/2024/Jan/34 http://seclists.org/fulldisclosure/2024/Jan/37 http://seclists.org/fulldisclosure/2024/Jan/38 https://access.redhat.com/errata/RHSA-2023:7626 https://nvd.nist.gov https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-15 https://alas.aws.amazon.com/AL2/ALAS-2023-2271.html

CVE-2023-38039

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

ICS Advisories

References

Vulmon Search

About

Products

Connect