CVE-2023-38039
published 2023-09-15CVE-2023-38039: When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have…
PriorityP359high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
63.79%
99.1th percentile
When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API.
However, curl did not have a limit in how many or how large headers it would
accept in a response, allowing a malicious server to stream an endless series
of headers and eventually cause curl to run out of heap memory.
Affected
49 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_monterey | — | — |
| apple | macos_sonoma | — | — |
| apple | macos_ventura | — | — |
| curl | curl | >= 8.3.0 < 8.3.0 | 8.3.0 |
| debian | curl | < curl 7.88.1-10+deb12u3 (bookworm) | curl 7.88.1-10+deb12u3 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| haxx | curl | >= 0 < 8.3.0-r0 | 8.3.0-r0 |
| haxx | curl | >= 0 < 8.3.0-r0 | 8.3.0-r0 |
| haxx | curl | >= 0 < 8.3.0-r0 | 8.3.0-r0 |
| haxx | curl | >= 0 < 8.3.0-r0 | 8.3.0-r0 |
| haxx | curl | >= 0 < 8.3.0-r0 | 8.3.0-r0 |
| haxx | curl | >= 0 < 8.3.0-r0 | 8.3.0-r0 |
| haxx | curl | >= 0 < 8.3.0-r0 | 8.3.0-r0 |
| haxx | curl | >= 0 < 8.3.0-r0 | 8.3.0-r0 |
| haxx | curl | >= 0 < 8.3.0-r0 | 8.3.0-r0 |
| haxx | curl | >= 0 < 7.88.1-10+deb12u3 | 7.88.1-10+deb12u3 |
| haxx | curl | >= 0 < 8.3.0-1 | 8.3.0-1 |
| haxx | curl | >= 0 < 8.3.0-1 | 8.3.0-1 |
| haxx | curl | >= 7.84.0 < 8.3.0 | 8.3.0 |
| microsoft | windows_10_1809 | < 10.0.17763.5122 | 10.0.17763.5122 |
| microsoft | windows_10_21h2 | < 10.0.19044.3693 | 10.0.19044.3693 |
| microsoft | windows_10_22h2 | < 10.0.19045.3693 | 10.0.19045.3693 |
| microsoft | windows_11_21h2 | < 10.0.22000.2600 | 10.0.22000.2600 |
Detection & IOCsextracted from sources · hover to see the quote
- →A malicious server streams an endless series of HTTP response headers to exhaust curl client heap memory; monitor for abnormally large or unbounded HTTP response header counts from a server to a curl client ↗
- →Versions of curl.exe prior to 8.4.0 on Windows are vulnerable; use WDAC policy to deny execution of \system32\curl.exe with MaximumFileVersion set to 8.4.0.0 as a detection/blocking boundary ↗
- →Vulnerable path on Windows is \system32\curl.exe; flag execution of this binary at versions below 8.4.0 as potentially exploitable ↗
- →Exploit requires attacker-controlled server; an attacker must convince the victim to connect curl to a compromised server — monitor for curl connections to untrusted or anomalous HTTP endpoints resulting in process memory exhaustion or crash ↗
- ·curl version 8.4.0 is the fixed version; any curl deployment below this version is vulnerable to the unbounded header memory exhaustion ↗
- ·Red Hat Enterprise Linux 6, 7, 8, and 9 ship a curl package that is NOT affected by this CVE ↗
- ·The vulnerability is exploitable only over HTTP protocol and requires a network-reachable attacker-controlled server; it is not remotely exploitable without victim interaction ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_oracle6.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-38039: When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API
osv·2023-09-15·CVSS 7.5
CVE-2023-38039 [HIGH] CVE-2023-38039: When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API
When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.
OSV
CVE-2023-38039: When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API
osv·2023-09-15·CVSS 7.5
CVE-2023-38039 [HIGH] CVE-2023-38039: When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API
When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API.
However, curl did not have a limit in how many or how large headers it would
accept in a response, allowing a malicious server to stream an endless series
of headers and eventually cause curl to run out of heap memory.
GHSA
GHSA-99j9-jf36-9747: When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API
ghsa_unreviewed·2023-09-15
CVE-2023-38039 [HIGH] CWE-770 GHSA-99j9-jf36-9747: When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API
When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API.
However, curl did not have a limit in how many or how large headers it would
accept in a response, allowing a malicious server to stream an endless series
of headers and eventually cause curl to run out of heap memory.
CISA ICS
Siemens SIMATIC RTLS Locating Manager
cisa_ics·2024-05-16
Siemens SIMATIC RTLS Locating Manager
ICS Advisory
##
Siemens SIMATIC RTLS Locating Manager
Release DateMay 16, 2024
Alert CodeICSA-24-137-07
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SIMATIC RTLS Locating Manager
- Vulnerabilities: Improper Input Validation, Improper Check for Unusual or Exceptional Conditions, Uncontrolled Resource Consumption, Excessive Iteration, Allocation of Resources Wi
CISA ICS
Siemens SINEC NMS
cisa_ics·2024-02-15
Siemens SINEC NMS
ICS Advisory
##
Siemens SINEC NMS
Release DateFebruary 15, 2024
Alert CodeICSA-24-046-15
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SINEC NMS
- Vulnerabilities: Out-of-bounds Read, Inadequate Encryption Strength, Double Free, Use After Free, NULL Pointer Dereference, Improper Input Validation, Missing Encryption of Sensitive Data, Allocation of Resources Wit
Apple
CVE-2023-38039: macOS Monterey 12.7.3
vendor_apple·2024-01-22·CVSS 7.5
CVE-2023-38039 [HIGH] CVE-2023-38039: macOS Monterey 12.7.3
Apple Security Update: About the security content of macOS Monterey 12.7.3
Product: macOS Monterey
Version: 12.7.3
CVE: CVE-2023-38039
Component: CVE-2023-38039
Apple
CVE-2023-38039: macOS Ventura 13.6.4
vendor_apple·2024-01-22·CVSS 7.5
CVE-2023-38039 [HIGH] CVE-2023-38039: macOS Ventura 13.6.4
Apple Security Update: About the security content of macOS Ventura 13.6.4
Product: macOS Ventura
Version: 13.6.4
CVE: CVE-2023-38039
Component: CVE-2023-38039
Apple
CVE-2023-38039: macOS Sonoma 14.2
vendor_apple·2023-12-11·CVSS 7.5
CVE-2023-38039 [HIGH] CVE-2023-38039: macOS Sonoma 14.2
Apple Security Update: About the security content of macOS Sonoma 14.2
Product: macOS Sonoma
Version: 14.2
CVE: CVE-2023-38039
Component: CVE-2023-38039
Oracle
Oracle Oracle Database Server Risk Matrix: Oracle Spatial and Graph (cURL) — CVE-2023-38039
vendor_oracle·2023-10-15·CVSS 6.5
CVE-2023-38039 [HIGH] Oracle Oracle Database Server Risk Matrix: Oracle Spatial and Graph (cURL) — CVE-2023-38039
Oracle Oracle Database Server Risk Matrix: Oracle Spatial and Graph (cURL) vulnerability
CVE: CVE-2023-38039
CVSS: 6.5
Protocol: HTTP
Remote exploit: No
Affected versions: Network
Advisory: cpuoct2023 (OCT 2023)
Microsoft
Hackerone: CVE-2023-38039 HTTP headers eat all memory
vendor_msrc·2023-10-10·CVSS 7.5
CVE-2023-38039 [HIGH] Hackerone: CVE-2023-38039 HTTP headers eat all memory
Hackerone: CVE-2023-38039 HTTP headers eat all memory
NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2023-38039
FAQ: 1. When will an update be available to address this vulnerability?
Microsoft is fully aware of this issue and is actively working to release version 8.4.0 of curl.exe in a future Windows update for currently supported, on-premise versions of Windows clients and servers. The Security Updates table for this CVE will be updated with the Windows update KB numbers for all supported versions as they are released. Customers will be notified via a revision to this security vulnerability when those KB numbers are available. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of conten
Microsoft
Hackerone: CVE-2023-38039 HTTP headers eat all memory
vendor_msrc·2023-10-10·CVSS 7.5
CVE-2023-38039 [HIGH] Hackerone: CVE-2023-38039 HTTP headers eat all memory
Hackerone: CVE-2023-38039 HTTP headers eat all memory
NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2023-38039
FAQ: 1. When will an update be available to address this vulnerability?
Microsoft is fully aware of this issue and is actively working to release version 8.4.0 of curl.exe in a future Windows update for currently supported, on-premise versions of Windows clients and servers. The Security Updates table for this CVE will be updated with the Windows update KB numbers for all supported versions as they are released. Customers will be notified via a revision to this security vulnerability when those KB numbers are available. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of conten
Red Hat
curl: out of heap memory issue due to missing limit on header quantity
vendor_redhat·2023-09-13·CVSS 7.5
CVE-2023-38039 [HIGH] CWE-770 curl: out of heap memory issue due to missing limit on header quantity
curl: out of heap memory issue due to missing limit on header quantity
When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API.
However, curl did not have a limit in how many or how large headers it would
accept in a response, allowing a malicious server to stream an endless series
of headers and eventually cause curl to run out of heap memory.
A flaw was found in the Curl package. Curl allows a malicious server to stream an endless series of headers to a client due to missing limit on header quantity, eventually causing curl to run out of heap memory, which may lead to a crash.
Statement: This issue does not affect the Curl package as shipped in Red Hat Enterprise Linux 6, 7, 8, and 9.
Package: curl (Red Hat E
Ubuntu
curl vulnerability
vendor_ubuntu·2023-09-13
CVE-2023-38039 curl vulnerability
Title: curl vulnerability
Summary: curl could be made to consume resources if it received specially crafted
network traffic.
It was discovered that curl incorrectly handled certain large headers. A
remote attacker could possibly use this issue to cause curl to consume
resources, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2023-38039: curl - When curl retrieves an HTTP response, it stores the incoming headers so that the...
vendor_debian·2023·CVSS 7.5
CVE-2023-38039 [HIGH] CVE-2023-38039: curl - When curl retrieves an HTTP response, it stores the incoming headers so that the...
When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.
Scope: local
bookworm: resolved (fixed in 7.88.1-10+deb12u3)
bullseye: resolved
forky: resolved (fixed in 8.3.0-1)
sid: resolved (fixed in 8.3.0-1)
trixie: resolved (fixed in 8.3.0-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2023/Oct/17http://seclists.org/fulldisclosure/2024/Jan/34http://seclists.org/fulldisclosure/2024/Jan/37http://seclists.org/fulldisclosure/2024/Jan/38https://hackerone.com/reports/2072338https://lists.fedoraproject.org/archives/list/[email protected]/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/https://lists.fedoraproject.org/archives/list/[email protected]/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/https://lists.fedoraproject.org/archives/list/[email protected]/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/https://security.gentoo.org/glsa/202310-12https://security.netapp.com/advisory/ntap-20231013-0005/https://support.apple.com/kb/HT214036https://support.apple.com/kb/HT214057https://support.apple.com/kb/HT214058https://support.apple.com/kb/HT214063https://www.insyde.com/security-pledge/SA-2023064http://seclists.org/fulldisclosure/2023/Oct/17http://seclists.org/fulldisclosure/2024/Jan/34http://seclists.org/fulldisclosure/2024/Jan/37http://seclists.org/fulldisclosure/2024/Jan/38https://hackerone.com/reports/2072338https://lists.fedoraproject.org/archives/list/[email protected]/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/https://lists.fedoraproject.org/archives/list/[email protected]/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/https://lists.fedoraproject.org/archives/list/[email protected]/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/https://security.gentoo.org/glsa/202310-12https://security.netapp.com/advisory/ntap-20231013-0005/https://support.apple.com/kb/HT214036https://support.apple.com/kb/HT214057https://support.apple.com/kb/HT214058https://support.apple.com/kb/HT214063https://www.insyde.com/security-pledge/SA-2023064
2023-09-15
Published