CVE-2023-38039

EUVD-2023-41865
When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers it would
accept in a response, allowing a malicious server to stream an endless series
of headers and eventually cause curl to run out of heap memory.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 94%
Affected Products (NVD)
VendorProductVersion
haxxcurl
7.84.0 ≤
𝑥
< 8.3.0
microsoftwindows_10_1809
𝑥
< 10.0.17763.5122
microsoftwindows_10_21h2
𝑥
< 10.0.19044.3693
microsoftwindows_10_22h2
𝑥
< 10.0.19045.3693
microsoftwindows_11_21h2
𝑥
< 10.0.22000.2600
microsoftwindows_11_22h2
𝑥
< 10.0.22621.2715
microsoftwindows_11_23h2
𝑥
< 10.0.22631.2715
microsoftwindows_server_2019
𝑥
< 10.0.17763.5122
microsoftwindows_server_2022
𝑥
< 10.0.20348.2113
𝑥
= Vulnerable software versions
Windows Releases
Platform
Version
Windows 10
1809 (arm64, x64, x86)
KB5032196
21H2 (arm64, x64)
KB5032189
21H2 (x86)
KB5032192
22H2 (arm64, x64, x86)
KB5032189
Windows 11
21H2 (arm64, x64)
KB5032192
22H2 (arm64, x64)
KB5032190
23H2 (arm64, x64)
KB5032190
Windows Server 2019
Server Core
KB5032196
Standard
KB5032196
Windows Server 2022
Server Core
KB5032198
Standard
KB5032198
Debian logo
Debian Releases
Debian Product
Codename
curl
bookworm
7.88.1-10+deb12u8
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
bullseye
7.74.0-1.3+deb11u13
not-affected
bullseye (security)
7.74.0-1.3+deb11u14
fixed
buster
not-affected
sid
8.11.1-1
fixed
trixie
8.11.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
bionic
not-affected
focal
not-affected
jammy
not-affected
lunar
Fixed 7.88.1-8ubuntu2.2
released
mantic
Fixed 8.2.1-1ubuntu3
released
noble
Fixed 8.2.1-1ubuntu3
released
trusty
not-affected
xenial
not-affected
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2023/Oct/17
http://seclists.org/fulldisclosure/2024/Jan/34
http://seclists.org/fulldisclosure/2024/Jan/37
http://seclists.org/fulldisclosure/2024/Jan/38
https://hackerone.com/reports/2072338
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/
https://security.gentoo.org/glsa/202310-12
https://security.netapp.com/advisory/ntap-20231013-0005/
https://support.apple.com/kb/HT214036
https://support.apple.com/kb/HT214057
https://support.apple.com/kb/HT214058
https://support.apple.com/kb/HT214063
https://www.insyde.com/security-pledge/SA-2023064
http://seclists.org/fulldisclosure/2023/Oct/17
http://seclists.org/fulldisclosure/2024/Jan/34
http://seclists.org/fulldisclosure/2024/Jan/37
http://seclists.org/fulldisclosure/2024/Jan/38
https://hackerone.com/reports/2072338
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/
https://security.gentoo.org/glsa/202310-12
https://security.netapp.com/advisory/ntap-20231013-0005/
https://support.apple.com/kb/HT214036
https://support.apple.com/kb/HT214057
https://support.apple.com/kb/HT214058
https://support.apple.com/kb/HT214063
https://www.insyde.com/security-pledge/SA-2023064