CVE - CVE-2022-32206

CVE-ID
CVE-2022-32206	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf CONFIRM:https://security.netapp.com/advisory/ntap-20220915-0003/ CONFIRM:https://support.apple.com/kb/HT213488 DEBIAN:DSA-5197 URL:https://www.debian.org/security/2022/dsa-5197 FEDORA:FEDORA-2022-1b3d7f6973 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/ FULLDISC:20221030 APPLE-SA-2022-10-24-2 macOS Ventura 13 URL:http://seclists.org/fulldisclosure/2022/Oct/28 FULLDISC:20221030 APPLE-SA-2022-10-27-5 Additional information for APPLE-SA-2022-10-24-2 macOS Ventura 13 URL:http://seclists.org/fulldisclosure/2022/Oct/41 GENTOO:GLSA-202212-01 URL:https://security.gentoo.org/glsa/202212-01 MISC:https://hackerone.com/reports/1570651 URL:https://hackerone.com/reports/1570651 MLIST:[debian-lts-announce] 20220828 [SECURITY] [DLA 3085-1] curl security update URL:https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html MLIST:[oss-security] 20230215 curl: CVE-2023-23916: HTTP multi-header compression denial of service URL:http://www.openwall.com/lists/oss-security/2023/02/15/3
Assigning CNA
HackerOne
Date Record Created
20220601	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20220601)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)