CVE-2023-38039

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2023-38039
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2023-09-15 04:15:00 UTC
Updated2024-04-01 15:45:00 UTC
DescriptionWhen curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

Risk And Classification

Problem Types: CWE-770

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Fedoraproject Fedora 37 All All All
Operating System Fedoraproject Fedora 38 All All All
Operating System Fedoraproject Fedora 39 All All All
Application Haxx Curl All All All All
Operating System Microsoft Windows 10 1809 All All All All
Operating System Microsoft Windows 10 21h2 All All All All
Operating System Microsoft Windows 10 22h2 All All All All
Operating System Microsoft Windows 11 21h2 All All All All
Operating System Microsoft Windows 11 22h2 All All All All
Operating System Microsoft Windows 11 23h2 All All All All
Operating System Microsoft Windows Server 2019 All All All All
Operating System Microsoft Windows Server 2022 All All All All

References

ReferenceSourceLinkTags
Insyde Security Advisory 2023064 | Insyde Software www.insyde.com
[SECURITY] Fedora 37 Update: curl-7.85.0-11.fc37 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
HackerOne MISC hackerone.com
curl: Multiple Vulnerabilities (GLSA 202310-12) — Gentoo security MISC security.gentoo.org
About the security content of macOS Ventura 13.6.4 - Apple Support support.apple.com
About the security content of macOS Sonoma 14.2 - Apple Support support.apple.com
[SECURITY] Fedora 39 Update: curl-8.2.1-2.fc39 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
seclists.org/fulldisclosure/2024/Jan/37 seclists.org
[SECURITY] Fedora 38 Update: curl-8.0.1-4.fc38 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
Full Disclosure: Defense in depth -- the Microsoft way (part 86): shipping rotten software to billions of unsuspecting customers MISC seclists.org
CVE-2023-38039 curl Vulnerability in NetApp Products | NetApp Product Security MISC security.netapp.com
seclists.org/fulldisclosure/2024/Jan/38 seclists.org
seclists.org/fulldisclosure/2024/Jan/34 seclists.org
About the security content of macOS Monterey 12.7.3 - Apple Support support.apple.com
About the security content of iOS 16.7.5 and iPadOS 16.7.5 - Apple Support support.apple.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 20366 Oracle Database 19c Critical Patch Update - October 2023
  • 20367 Oracle Database 21c Critical Patch Update - October 2023
  • 20368 Oracle Database 19c Critical OJVM Patch Update - October 2023
  • 20399 Oracle Database 19c Critical OJVM Patch Update - January 2024
  • 20400 Oracle Database 19c Critical Patch Update - January 2024
  • 20401 Oracle Database 21c Critical Patch Update - January 2024
  • 242553 Red Hat Update for JBoss Core Services (RHSA-2023:7625)
  • 284514 Fedora Security Update for curl (FEDORA-2023-b1253907f1)
  • 284546 Fedora Security Update for curl (FEDORA-2023-98dff7aae5)
  • 285257 Fedora Security Update for curl (FEDORA-2023-43ef9f5376)
  • 296105 Oracle Solaris 11.4 Support Repository Update (SRU) 63.157.1 Missing (CPUOCT2023)
  • 356390 Amazon Linux Security Advisory for curl : ALAS2023-2023-368
  • 356407 Amazon Linux Security Advisory for curl : ALAS2-2023-2271
  • 379298 Apple macOS Ventura 13.6.4 Not Installed (HT214058)
  • 379300 Apple macOS Monterey 12.7.3 Not Installed (HT214057)
  • 379516 IBM Sterling Secure Proxy Multiple Vulnerabilities (7142038)
  • 503352 Alpine Linux Security Update for curl
  • 503682 Alpine Linux Security Update for curl
  • 505863 Alpine Linux Security Update for curl
  • 610539 Apple iOS 16.7.5 and iPadOS 16.7.5 Security Update Missing (HT214063)
  • 691300 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (833b469b-5247-11ee-9667-080027f5fec9)
  • 710772 Gentoo Linux curl Multiple Vulnerabilities (GLSA 202310-12)
  • 754879 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:3692-1)
  • 754967 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:3823-1)
  • 907382 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (29698-1)
  • 907662 Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (28833)
  • 907687 Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (28833-1)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report