CVE-2023-23916 — Allocation of Resources Without Limits or Throttling in Curl
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 74.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 23
Latest updateApr 15
Description
An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use …
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6
Affected Packages4 packages
Also affects: Debian Linux 10.0, 11.0, Fedora 36
🔴Vulnerability Details
3GHSA▶
GHSA-v8vq-prc2-j6gx: An allocation of resources without limits or throttling vulnerability exists in curl <v7↗2023-02-23
CVEList▶
CVE-2023-23916: An allocation of resources without limits or throttling vulnerability exists in curl <v7↗2023-02-23
OSV▶
CVE-2023-23916: An allocation of resources without limits or throttling vulnerability exists in curl <v7↗2023-02-23
📋Vendor Advisories
5Microsoft▶
An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms meaning that a server response can be compressed multip↗2023-02-14
Debian▶
CVE-2023-23916: curl - An allocation of resources without limits or throttling vulnerability exists in ...↗2023