Lucene search

K
cvelistHackeroneCVELIST:CVE-2023-38039
HistorySep 15, 2023 - 3:21 a.m.

CVE-2023-38039

2023-09-1503:21:54
hackerone
www.cve.org
curl
http response
header limit
vulnerability
heap memory

7.8 High

AI Score

Confidence

High

0.009 Low

EPSS

Percentile

83.1%

When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers it would
accept in a response, allowing a malicious server to stream an endless series
of headers and eventually cause curl to run out of heap memory.

CNA Affected

[
  {
    "vendor": "curl",
    "product": "curl",
    "versions": [
      {
        "version": "8.3.0",
        "status": "affected",
        "lessThan": "8.3.0",
        "versionType": "semver"
      },
      {
        "version": "7.84.0",
        "status": "unaffected",
        "lessThan": "7.84.0",
        "versionType": "semver"
      }
    ]
  }
]