3275 matches found
CVE-2023-28119
The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of flate.NewReader does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be...
CVE-2023-28119 crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb
The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of flate.NewReader does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be...
CVE-2023-28119
Removed by vendor...
GO-2023-1602 Denial of service via deflate decompression bomb in github.com/russellhaering/gosaml2
A bug in SAML authentication library can result in Denial of Service attacks. Attackers can craft a "deflate"-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process bein...
GHSA-6GC3-CRP7-25W5 gosaml2 vulnerable to Denial Of Service Via Deflate Decompression Bomb
Impact SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a deflate-compressed request which will consume significantly more memory during processing than the size of the...
Fedora 36 : curl (2023-94df30cbec)
The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-94df30cbec advisory. - fix HTTP multi-header compression denial of service CVE-2023-23916 Tenable has extracted the preceding description block directly from the Fedora security...
OESA-2023-1123 curl security update
cURL is a computer software project providing a library libcurl and command-line tool curl for transferring data using various protocols. Security Fixes: curl supports "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with...
OESA-2023-1125 curl security update
cURL is a computer software project providing a library libcurl and command-line tool curl for transferring data using various protocols. Security Fixes: A flaw was found in the Curl package, where the HSTS mechanism could fail when multiple transfers are done in parallel, as the HSTS cache file...
OESA-2023-1124 curl security update
cURL is a computer software project providing a library libcurl and command-line tool curl for transferring data using various protocols. Security Fixes: A flaw was found in the Curl package, where the HSTS mechanism could fail when multiple transfers are done in parallel, as the HSTS cache file...
An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb" making curl end up spending enormous amounts of allocated heap memory or trying to and returning out of memory errors.
...
ALPINE-CVE-2023-23916
An allocation of resources without limits or throttling vulnerability exists in curl v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this...
AZL-13657 CVE-2023-23916 affecting package mysql for versions less than 8.0.33-1
An allocation of resources without limits or throttling vulnerability exists in curl v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this...
AZL-34602 CVE-2023-23916 affecting package cmake for versions less than 3.28.2-1
An allocation of resources without limits or throttling vulnerability exists in curl v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this...
CVE-2023-23916
An allocation of resources without limits or throttling vulnerability exists in curl v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this...
AZL-13653 CVE-2023-23916 affecting package curl for versions less than 7.88.1-1
An allocation of resources without limits or throttling vulnerability exists in curl v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this...
AZL-13651 CVE-2023-23916 affecting package cmake for versions less than 3.21.4-13
An allocation of resources without limits or throttling vulnerability exists in curl v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this...
AZL-13658 CVE-2023-23916 affecting package rust for versions less than 1.72.0-2
An allocation of resources without limits or throttling vulnerability exists in curl v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this...
DEBIAN-CVE-2023-23916
An allocation of resources without limits or throttling vulnerability exists in curl v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this...
CVE-2023-23916
An allocation of resources without limits or throttling vulnerability exists in curl v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this...
CVE-2023-23916
CVE-2023-23916 involves curl before 7.88.0 where an attacker could abuse the chained HTTP compression chain to create a degenerate decompression path. Although the cap on the number of links is per header, a malicious server can inject many headers to form an effectively unlimited decompression c...