CVE-2023-23916

23.02.2023, 20:15

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Affected Products (NVD)

Vendor	Product	Version
haxx	curl	7.57.0 ≤ 𝑥 < 7.88.0
debian	debian_linux	10.0
debian	debian_linux	11.0
netapp	h300s_firmware	-
netapp	h500s_firmware	-
netapp	h700s_firmware	-
netapp	h410s_firmware	-
netapp	clustered_data_ontap	-
splunk	universal_forwarder	8.2.0 ≤ 𝑥 < 8.2.12
splunk	universal_forwarder	9.0.0 ≤ 𝑥 < 9.0.6
splunk	universal_forwarder	9.1.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

curl

bookworm	7.88.1-10+deb12u8 fixed
bookworm (security)	7.88.1-10+deb12u5 fixed
bullseye	7.74.0-1.3+deb11u13 fixed
bullseye (security)	7.74.0-1.3+deb11u14 fixed
sid	8.11.1-1 fixed
trixie	8.11.1-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

curl

bionic	Fixed 7.58.0-2ubuntu3.23 released
focal	Fixed 7.68.0-1ubuntu2.16 released
jammy	Fixed 7.81.0-1ubuntu1.8 released
kinetic	Fixed 7.85.0-1ubuntu0.3 released
lunar	Fixed 7.87.0-2ubuntu1 released
trusty	not-affected
xenial	not-affected

openSUSE / SLES Releases

openSUSE Product

Release

curl

suse enterprise desktop 15 SP4	7.79.1-150400.5.15.1 fixed
suse enterprise desktop 15 SP5	7.79.1-150400.5.15.1 fixed
suse enterprise desktop 15 SP6	8.6.0-150600.2.2 fixed
suse enterprise desktop 15 SP7	8.6.0-150600.4.21.1 fixed
suse enterprise sap 12 SP5	7.60.0-11.55.1 fixed
suse enterprise sap 15 SP4	7.79.1-150400.5.15.1 fixed
suse enterprise sap 15 SP5	7.79.1-150400.5.15.1 fixed
suse enterprise sap 15 SP6	8.6.0-150600.2.2 fixed
suse enterprise sap 15 SP7	8.6.0-150600.4.21.1 fixed
suse enterprise server 12 SP4	7.60.0-4.56.1 fixed
suse enterprise server 12 SP5	7.60.0-11.55.1 fixed
suse enterprise server 15 SP1	7.60.0-150000.51.1 fixed
suse enterprise server 15 SP4	7.79.1-150400.5.15.1 fixed
suse enterprise server 15 SP5	7.79.1-150400.5.15.1 fixed
suse enterprise server 15 SP6	8.6.0-150600.2.2 fixed
suse enterprise server 15 SP7	8.6.0-150600.4.21.1 fixed

libcurl-devel

suse enterprise desktop 15 SP4	7.79.1-150400.5.15.1 fixed
suse enterprise desktop 15 SP5	7.79.1-150400.5.15.1 fixed
suse enterprise desktop 15 SP6	8.6.0-150600.2.2 fixed
suse enterprise desktop 15 SP7	8.6.0-150600.4.21.1 fixed
suse enterprise sap 15 SP4	7.79.1-150400.5.15.1 fixed
suse enterprise sap 15 SP5	7.79.1-150400.5.15.1 fixed
suse enterprise sap 15 SP6	8.6.0-150600.2.2 fixed
suse enterprise sap 15 SP7	8.6.0-150600.4.21.1 fixed
suse enterprise server 15 SP1	7.60.0-150000.51.1 fixed
suse enterprise server 15 SP4	7.79.1-150400.5.15.1 fixed
suse enterprise server 15 SP5	7.79.1-150400.5.15.1 fixed
suse enterprise server 15 SP6	8.6.0-150600.2.2 fixed
suse enterprise server 15 SP7	8.6.0-150600.4.21.1 fixed

libcurl4

suse enterprise desktop 15 SP4	7.79.1-150400.5.15.1 fixed
suse enterprise desktop 15 SP5	7.79.1-150400.5.15.1 fixed
suse enterprise desktop 15 SP6	8.6.0-150600.2.2 fixed
suse enterprise desktop 15 SP7	8.6.0-150600.4.21.1 fixed
suse enterprise sap 12 SP5	7.60.0-11.55.1 fixed
suse enterprise sap 15 SP4	7.79.1-150400.5.15.1 fixed
suse enterprise sap 15 SP5	7.79.1-150400.5.15.1 fixed
suse enterprise sap 15 SP6	8.6.0-150600.2.2 fixed
suse enterprise sap 15 SP7	8.6.0-150600.4.21.1 fixed
suse enterprise server 12 SP4	7.60.0-4.56.1 fixed
suse enterprise server 12 SP5	7.60.0-11.55.1 fixed
suse enterprise server 15 SP1	7.60.0-150000.51.1 fixed
suse enterprise server 15 SP4	7.79.1-150400.5.15.1 fixed
suse enterprise server 15 SP5	7.79.1-150400.5.15.1 fixed
suse enterprise server 15 SP6	8.6.0-150600.2.2 fixed
suse enterprise server 15 SP7	8.6.0-150600.4.21.1 fixed

libcurl4-32bit

suse enterprise desktop 15 SP4	7.79.1-150400.5.15.1 fixed
suse enterprise desktop 15 SP5	7.79.1-150400.5.15.1 fixed
suse enterprise desktop 15 SP6	8.6.0-150600.2.2 fixed
suse enterprise desktop 15 SP7	8.6.0-150600.4.21.1 fixed
suse enterprise sap 12 SP5	7.60.0-11.55.1 fixed
suse enterprise sap 15 SP4	7.79.1-150400.5.15.1 fixed
suse enterprise sap 15 SP5	7.79.1-150400.5.15.1 fixed
suse enterprise sap 15 SP6	8.6.0-150600.2.2 fixed
suse enterprise sap 15 SP7	8.6.0-150600.4.21.1 fixed
suse enterprise server 12 SP4	7.60.0-4.56.1 fixed
suse enterprise server 12 SP5	7.60.0-11.55.1 fixed
suse enterprise server 15 SP1	7.60.0-150000.51.1 fixed
suse enterprise server 15 SP4	7.79.1-150400.5.15.1 fixed
suse enterprise server 15 SP5	7.79.1-150400.5.15.1 fixed
suse enterprise server 15 SP6	8.6.0-150600.2.2 fixed
suse enterprise server 15 SP7	8.6.0-150600.4.21.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

curl

RHEL 8	0:7.61.1-25.el8_7.3 fixed
RHEL 8.4 AUS	0:7.61.1-18.el8_4.3 fixed
RHEL 8.4 E4S	0:7.61.1-18.el8_4.3 fixed
RHEL 8.4 TUS	0:7.61.1-18.el8_4.3 fixed
RHEL 8.6 AUS	0:7.61.1-22.el8_6.6 fixed
RHEL 8.6 E4S	0:7.61.1-22.el8_6.6 fixed
RHEL 8.6 EUS	0:7.61.1-22.el8_6.6 fixed
RHEL 8.6 TUS	0:7.61.1-22.el8_6.6 fixed
RHEL 9	0:7.76.1-19.el9_1.2 fixed

curl-minimal

RHEL 9

0:7.76.1-19.el9_1.2

fixed

libcurl

RHEL 8	0:7.61.1-25.el8_7.3 fixed
RHEL 8.4 AUS	0:7.61.1-18.el8_4.3 fixed
RHEL 8.4 E4S	0:7.61.1-18.el8_4.3 fixed
RHEL 8.4 TUS	0:7.61.1-18.el8_4.3 fixed
RHEL 8.6 AUS	0:7.61.1-22.el8_6.6 fixed
RHEL 8.6 E4S	0:7.61.1-22.el8_6.6 fixed
RHEL 8.6 EUS	0:7.61.1-22.el8_6.6 fixed
RHEL 8.6 TUS	0:7.61.1-22.el8_6.6 fixed
RHEL 9	0:7.76.1-19.el9_1.2 fixed

libcurl-devel

RHEL 8	0:7.61.1-25.el8_7.3 fixed
RHEL 8.4 AUS	0:7.61.1-18.el8_4.3 fixed
RHEL 8.4 E4S	0:7.61.1-18.el8_4.3 fixed
RHEL 8.4 TUS	0:7.61.1-18.el8_4.3 fixed
RHEL 8.6 AUS	0:7.61.1-22.el8_6.6 fixed
RHEL 8.6 E4S	0:7.61.1-22.el8_6.6 fixed
RHEL 8.6 EUS	0:7.61.1-22.el8_6.6 fixed
RHEL 8.6 TUS	0:7.61.1-22.el8_6.6 fixed
RHEL 9	0:7.76.1-19.el9_1.2 fixed

libcurl-minimal

RHEL 8	0:7.61.1-25.el8_7.3 fixed
RHEL 8.4 AUS	0:7.61.1-18.el8_4.3 fixed
RHEL 8.4 E4S	0:7.61.1-18.el8_4.3 fixed
RHEL 8.4 TUS	0:7.61.1-18.el8_4.3 fixed
RHEL 8.6 AUS	0:7.61.1-22.el8_6.6 fixed
RHEL 8.6 E4S	0:7.61.1-22.el8_6.6 fixed
RHEL 8.6 EUS	0:7.61.1-22.el8_6.6 fixed
RHEL 8.6 TUS	0:7.61.1-22.el8_6.6 fixed
RHEL 9	0:7.76.1-19.el9_1.2 fixed

Known Exploits!

Common Weakness Enumeration

CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References

https://hackerone.com/reports/1826048

https://lists.debian.org/debian-lts-announce/2023/02/msg00035.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQKE6TXYDHOTFHLTBZ5X73GTKI7II5KO/

https://security.gentoo.org/glsa/202310-12

https://security.netapp.com/advisory/ntap-20230309-0006/

https://www.debian.org/security/2023/dsa-5365

https://hackerone.com/reports/1826048

https://lists.debian.org/debian-lts-announce/2023/02/msg00035.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQKE6TXYDHOTFHLTBZ5X73GTKI7II5KO/

https://security.gentoo.org/glsa/202310-12

https://security.netapp.com/advisory/ntap-20230309-0006/

https://www.debian.org/security/2023/dsa-5365