Main Vulnerability Database Vulnerabilities #VU72337

Allocation of Resources Without Limits or Throttling in cURL - CVE-2023-23916

Published: February 16, 2023 / Updated: May 17, 2023

Vulnerability identifier: #VU72337

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-23916

CWE-ID: CWE-770

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: curl.haxx.se

Affected software:
cURL

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect implementation of the "chained" HTTP compression algorithms, where the number of links in the decompression chain was limited for each header instead of the entire request. A remote attacker can send a specially crafted compressed HTTP request with numerous headers and perform a denial of service (DoS) attack.

How to mitigate CVE-2023-23916

Install updates from vendor's website.

Sources

https://curl.haxx.se/docs/CVE-2023-23916.html

Allocation of Resources Without Limits or Throttling in cURL - CVE-2023-23916

Detailed vulnerability description

How to mitigate CVE-2023-23916

Sources

Please verify you're human