CVE-2023-38039

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.
Configurations

Configuration 1 (hide)

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*

History

01 Apr 2024, 15:45

Type Values Removed Values Added
CPE cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
First Time Microsoft windows 10 22h2
Microsoft windows Server 2022
Microsoft
Microsoft windows 11 23h2
Microsoft windows 10 1809
Microsoft windows 11 22h2
Microsoft windows 10 21h2
Microsoft windows Server 2019
Microsoft windows 11 21h2
References () http://seclists.org/fulldisclosure/2023/Oct/17 - Third Party Advisory () http://seclists.org/fulldisclosure/2023/Oct/17 - Mailing List, Third Party Advisory
References () http://seclists.org/fulldisclosure/2024/Jan/34 - Third Party Advisory () http://seclists.org/fulldisclosure/2024/Jan/34 - Mailing List, Third Party Advisory
References () http://seclists.org/fulldisclosure/2024/Jan/37 - Third Party Advisory () http://seclists.org/fulldisclosure/2024/Jan/37 - Mailing List, Third Party Advisory
References () http://seclists.org/fulldisclosure/2024/Jan/38 - Third Party Advisory () http://seclists.org/fulldisclosure/2024/Jan/38 - Mailing List, Third Party Advisory

01 Feb 2024, 01:00

Type Values Removed Values Added
References (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/ - (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/ - Mailing List
References () https://support.apple.com/kb/HT214036 - () https://support.apple.com/kb/HT214036 - Third Party Advisory
References () http://seclists.org/fulldisclosure/2024/Jan/38 - () http://seclists.org/fulldisclosure/2024/Jan/38 - Third Party Advisory
References () https://www.insyde.com/security-pledge/SA-2023064 - () https://www.insyde.com/security-pledge/SA-2023064 - Third Party Advisory
References () https://support.apple.com/kb/HT214063 - () https://support.apple.com/kb/HT214063 - Third Party Advisory
References () https://support.apple.com/kb/HT214058 - () https://support.apple.com/kb/HT214058 - Third Party Advisory
References () https://support.apple.com/kb/HT214057 - () https://support.apple.com/kb/HT214057 - Third Party Advisory
References (MISC) https://security.netapp.com/advisory/ntap-20231013-0005/ - (MISC) https://security.netapp.com/advisory/ntap-20231013-0005/ - Third Party Advisory
References (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/ - (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/ - Mailing List
References () http://seclists.org/fulldisclosure/2024/Jan/34 - () http://seclists.org/fulldisclosure/2024/Jan/34 - Third Party Advisory
References (MISC) https://security.gentoo.org/glsa/202310-12 - (MISC) https://security.gentoo.org/glsa/202310-12 - Third Party Advisory
References () http://seclists.org/fulldisclosure/2024/Jan/37 - () http://seclists.org/fulldisclosure/2024/Jan/37 - Third Party Advisory
References (MISC) http://seclists.org/fulldisclosure/2023/Oct/17 - (MISC) http://seclists.org/fulldisclosure/2023/Oct/17 - Third Party Advisory
CPE cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

26 Jan 2024, 17:15

Type Values Removed Values Added
References
  • () http://seclists.org/fulldisclosure/2024/Jan/34 -
  • () http://seclists.org/fulldisclosure/2024/Jan/37 -
  • () http://seclists.org/fulldisclosure/2024/Jan/38 -

23 Jan 2024, 14:15

Type Values Removed Values Added
References
  • () https://support.apple.com/kb/HT214036 -

22 Jan 2024, 19:15

Type Values Removed Values Added
References
  • () https://support.apple.com/kb/HT214057 -
  • () https://support.apple.com/kb/HT214063 -
  • () https://support.apple.com/kb/HT214058 -

12 Dec 2023, 21:15

Type Values Removed Values Added
References
  • () https://www.insyde.com/security-pledge/SA-2023064 -

17 Oct 2023, 05:15

Type Values Removed Values Added
References
  • (MISC) http://seclists.org/fulldisclosure/2023/Oct/17 -

13 Oct 2023, 22:15

Type Values Removed Values Added
References
  • (MISC) https://security.netapp.com/advisory/ntap-20231013-0005/ -

11 Oct 2023, 11:15

Type Values Removed Values Added
References
  • (MISC) https://security.gentoo.org/glsa/202310-12 -

27 Sep 2023, 15:18

Type Values Removed Values Added
References
  • (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/ -
  • (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/ -

20 Sep 2023, 15:08

Type Values Removed Values Added
CWE CWE-770
First Time Fedoraproject
Fedoraproject fedora
Haxx
Haxx curl
References (MISC) https://hackerone.com/reports/2072338 - (MISC) https://hackerone.com/reports/2072338 - Exploit, Issue Tracking, Patch, Third Party Advisory
References (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/ - (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/ - Mailing List
CPE cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5

16 Sep 2023, 03:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-09-15 04:15

Updated : 2024-04-01 15:45


NVD link : CVE-2023-38039

Mitre link : CVE-2023-38039

CVE.ORG link : CVE-2023-38039


JSON object : View

Products Affected

microsoft

  • windows_11_21h2
  • windows_10_21h2
  • windows_10_22h2
  • windows_11_22h2
  • windows_server_2019
  • windows_server_2022
  • windows_11_23h2
  • windows_10_1809

haxx

  • curl

fedoraproject

  • fedora
CWE
CWE-770

Allocation of Resources Without Limits or Throttling