CVE-2023-38039

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.
Configurations

Configuration 1 (hide)

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*

History

01 Apr 2024, 15:45

Type Values Removed Values Added
First Time Microsoft windows 10 1809
Microsoft windows 11 22h2
Microsoft
Microsoft windows 10 22h2
Microsoft windows 10 21h2
Microsoft windows 11 21h2
Microsoft windows 11 23h2
Microsoft windows Server 2022
Microsoft windows Server 2019
CPE cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
References () http://seclists.org/fulldisclosure/2023/Oct/17 - Third Party Advisory () http://seclists.org/fulldisclosure/2023/Oct/17 - Mailing List, Third Party Advisory
References () http://seclists.org/fulldisclosure/2024/Jan/34 - Third Party Advisory () http://seclists.org/fulldisclosure/2024/Jan/34 - Mailing List, Third Party Advisory
References () http://seclists.org/fulldisclosure/2024/Jan/37 - Third Party Advisory () http://seclists.org/fulldisclosure/2024/Jan/37 - Mailing List, Third Party Advisory
References () http://seclists.org/fulldisclosure/2024/Jan/38 - Third Party Advisory () http://seclists.org/fulldisclosure/2024/Jan/38 - Mailing List, Third Party Advisory

01 Feb 2024, 01:00

Type Values Removed Values Added
References () http://seclists.org/fulldisclosure/2024/Jan/38 - () http://seclists.org/fulldisclosure/2024/Jan/38 - Third Party Advisory
References () https://support.apple.com/kb/HT214058 - () https://support.apple.com/kb/HT214058 - Third Party Advisory
References (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/ - (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/ - Mailing List
References (MISC) http://seclists.org/fulldisclosure/2023/Oct/17 - (MISC) http://seclists.org/fulldisclosure/2023/Oct/17 - Third Party Advisory
References () https://support.apple.com/kb/HT214057 - () https://support.apple.com/kb/HT214057 - Third Party Advisory
References () http://seclists.org/fulldisclosure/2024/Jan/34 - () http://seclists.org/fulldisclosure/2024/Jan/34 - Third Party Advisory
References () http://seclists.org/fulldisclosure/2024/Jan/37 - () http://seclists.org/fulldisclosure/2024/Jan/37 - Third Party Advisory
References (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/ - (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/ - Mailing List
References () https://www.insyde.com/security-pledge/SA-2023064 - () https://www.insyde.com/security-pledge/SA-2023064 - Third Party Advisory
References () https://support.apple.com/kb/HT214063 - () https://support.apple.com/kb/HT214063 - Third Party Advisory
References (MISC) https://security.netapp.com/advisory/ntap-20231013-0005/ - (MISC) https://security.netapp.com/advisory/ntap-20231013-0005/ - Third Party Advisory
References () https://support.apple.com/kb/HT214036 - () https://support.apple.com/kb/HT214036 - Third Party Advisory
References (MISC) https://security.gentoo.org/glsa/202310-12 - (MISC) https://security.gentoo.org/glsa/202310-12 - Third Party Advisory
CPE cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

26 Jan 2024, 17:15

Type Values Removed Values Added
References
  • () http://seclists.org/fulldisclosure/2024/Jan/38 -
  • () http://seclists.org/fulldisclosure/2024/Jan/34 -
  • () http://seclists.org/fulldisclosure/2024/Jan/37 -

23 Jan 2024, 14:15

Type Values Removed Values Added
References
  • () https://support.apple.com/kb/HT214036 -

22 Jan 2024, 19:15

Type Values Removed Values Added
References
  • () https://support.apple.com/kb/HT214057 -
  • () https://support.apple.com/kb/HT214058 -
  • () https://support.apple.com/kb/HT214063 -

12 Dec 2023, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-09-15 04:15

Updated : 2024-04-01 15:45


NVD link : CVE-2023-38039

Mitre link : CVE-2023-38039

CVE.ORG link : CVE-2023-38039


JSON object : View

Products Affected

microsoft

  • windows_10_21h2
  • windows_10_1809
  • windows_10_22h2
  • windows_11_23h2
  • windows_11_22h2
  • windows_server_2019
  • windows_11_21h2
  • windows_server_2022

haxx

  • curl

fedoraproject

  • fedora
CWE
CWE-770

Allocation of Resources Without Limits or Throttling