cURL up to 7.87.x HTTP Compression allocation of resources

Summaryinfo

A vulnerability, which was classified as problematic, was found in cURL up to 7.87.x. Affected by this issue is some unknown functionality of the component HTTP Compression Handler. The manipulation results in allocation of resources. This vulnerability is identified as CVE-2023-23916. The attack can be executed remotely. There is not any exploit available. You should upgrade the affected component.

Detailsinfo

A vulnerability classified as problematic has been found in cURL up to 7.87.x (Network Utility Software). Affected is some unknown functionality of the component HTTP Compression Handler. The manipulation with an unknown input leads to a allocation of resources vulnerability. CWE is classifying the issue as CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. This is going to have an impact on availability. CVE summarizes:

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

The weakness was released 02/24/2023. The advisory is available at hackerone.com. This vulnerability is traded as CVE-2023-23916 since 01/19/2023. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1499 by the MITRE ATT&CK project.

The vulnerability scanner Nessus provides a plugin with the ID 215380 (Azure Linux 3.0 Security Update: cmake / curl / mysql / rust / tensorflow (CVE-2023-23916)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 7.88.0 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (215380). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Network Utility Software

Name

• cURL

Version

• 7.0
• 7.1
• 7.2
• 7.3
• 7.4
• 7.5
• 7.6
• 7.7
• 7.8
• 7.9
• 7.10
• 7.11
• 7.12
• 7.13
• 7.14
• 7.15
• 7.16
• 7.17
• 7.18
• 7.19
• 7.20
• 7.21
• 7.22
• 7.23
• 7.24
• 7.25
• 7.26
• 7.27
• 7.28
• 7.29
• 7.30
• 7.31
• 7.32
• 7.33
• 7.34
• 7.35
• 7.36
• 7.37
• 7.38
• 7.39
• 7.40
• 7.41
• 7.42
• 7.43
• 7.44
• 7.45
• 7.46
• 7.47
• 7.48
• 7.49
• 7.50
• 7.51
• 7.52
• 7.53
• 7.54
• 7.55
• 7.56
• 7.57
• 7.58
• 7.59
• 7.60
• 7.61
• 7.62
• 7.63
• 7.64
• 7.65
• 7.66
• 7.67
• 7.68
• 7.69
• 7.70
• 7.71
• 7.72
• 7.73
• 7.74
• 7.75
• 7.76
• 7.77
• 7.78
• 7.79
• 7.80
• 7.81
• 7.82
• 7.83
• 7.84
• 7.85
• 7.86
• 7.87

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion