Home > Vulnerability Database > CVE-2023-38039

Mend.io Vulnerability Database

CVE-2023-38039

Good to know:

Date: September 14, 2023

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

Language: C

Severity Score

7.5

Related Resources (20)

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/

Url: https://security.netapp.com/advisory/ntap-20231013-0005/

Url: https://github.com/curl/curl/commit/3ee79c1674fd6f9

Url: https://support.apple.com/kb/HT214057

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-38039

Url: https://support.apple.com/kb/HT214058

Url: https://support.apple.com/kb/HT214036

Url: http://seclists.org/fulldisclosure/2023/Oct/17

Url: https://hackerone.com/reports/2072338

Url: http://seclists.org/fulldisclosure/2024/Jan/38

Url: http://seclists.org/fulldisclosure/2024/Jan/37

Url: https://security.gentoo.org/glsa/202310-12

Url: http://seclists.org/fulldisclosure/2024/Jan/34

Url: https://www.insyde.com/security-pledge/SA-2023064

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/

Url: https://support.apple.com/kb/HT214063

Url: https://security-tracker.debian.org/tracker/CVE-2023-38039

Url: https://seclists.org/oss-sec/2023/q3/175

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/

Url: https://www.mend.io/vulnerability-database/CVE-2023-38039

Severity Score

7.5

Weakness Type (CWE)

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

Upgrade Version

Upgrade to version curl-8_3_0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-38039

Good to know:

Date: September 14, 2023

Language: C

Severity Score

Related Resources (20)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?