Alpine: curl: security update to 7.87.0-r2

critical Tenable Self-Hosted Container Security Plugin ID 404034

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause
HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be
instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the
URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same
command line because the state would not be properlycarried on. (CVE-2023-23914)

- A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause
HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS
support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when
HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers
are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A
later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.
(CVE-2023-23915)

- An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the
"chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and
potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain"
wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a
virtually unlimited number of compression steps simply byusing many headers. The use of such a
decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of
allocated heap memory, or trying to and returning out of memory errors. (CVE-2023-23916)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-23914

https://security.alpinelinux.org/vuln/CVE-2023-23915

https://security.alpinelinux.org/vuln/CVE-2023-23916

Plugin Details

Severity: Critical

ID: 404034

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2023-23914

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/17/2023

Reference Information

CVE: CVE-2023-23914, CVE-2023-23915, CVE-2023-23916

IAVA: 2023-A-0008-S, 2023-A-0108-S, 2023-A-0531-S