CVE-2023-23916

23.02.2023, 20:15

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
hackerone	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Vendor	Product	Version
haxx	curl	7.57.0 ≤ 𝑥 < 7.88.0
debian	debian_linux	10.0
debian	debian_linux	11.0
netapp	h300s_firmware	-
netapp	h500s_firmware	-
netapp	h700s_firmware	-
netapp	h410s_firmware	-
netapp	clustered_data_ontap	-
splunk	universal_forwarder	8.2.0 ≤ 𝑥 < 8.2.12
splunk	universal_forwarder	9.0.0 ≤ 𝑥 < 9.0.6
splunk	universal_forwarder	9.1.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

curl

bullseye	7.74.0-1.3+deb11u13 fixed
bullseye (security)	7.74.0-1.3+deb11u14 fixed
bookworm	7.88.1-10+deb12u8 fixed
bookworm (security)	7.88.1-10+deb12u5 fixed
sid	8.11.1-1 fixed
trixie	8.11.1-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

curl

lunar	Fixed 7.87.0-2ubuntu1 released
kinetic	Fixed 7.85.0-1ubuntu0.3 released
jammy	Fixed 7.81.0-1ubuntu1.8 released
focal	Fixed 7.68.0-1ubuntu2.16 released
bionic	Fixed 7.58.0-2ubuntu3.23 released
xenial	not-affected
trusty	not-affected

Known Exploits!

Common Weakness Enumeration

CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References

https://hackerone.com/reports/1826048

https://lists.debian.org/debian-lts-announce/2023/02/msg00035.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQKE6TXYDHOTFHLTBZ5X73GTKI7II5KO/

https://security.gentoo.org/glsa/202310-12