Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:apk/alpine/curl@7.88.0-r0?arch=s390x&distroversion=v3.20&reponame=main

Type apk

Namespace alpine

Name curl

Version 7.88.0-r0

Qualifiers

arch	s390x
distroversion	v3.20
reponame	main

Subpath

Is_vulnerable false

Next_non_vulnerable_version 8.0.0-r0

Latest_non_vulnerable_version 8.14.1-r0

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-cfry-nx5h-kudv

vulnerability_id VCID-cfry-nx5h-kudv

summary An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23916.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23916.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-23916

reference_id

reference_type

scores

value	0.00066
scoring_system	epss
scoring_elements	0.20718
published_at	2026-06-04T12:55:00Z

value	0.00066
scoring_system	epss
scoring_elements	0.20793
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-23916

reference_url

https://curl.se/docs/CVE-2023-23916.html

reference_id

reference_type

scores

value	Medium
scoring_system	cvssv3.1
scoring_elements

url

https://curl.se/docs/CVE-2023-23916.html

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23916
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23916

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://hackerone.com/reports/1826048

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-12T18:24:35Z/

url

https://hackerone.com/reports/1826048

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031371
reference_id	1031371
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031371

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2167815
reference_id	2167815
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2167815

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQKE6TXYDHOTFHLTBZ5X73GTKI7II5KO/

reference_id

BQKE6TXYDHOTFHLTBZ5X73GTKI7II5KO

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-12T18:24:35Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQKE6TXYDHOTFHLTBZ5X73GTKI7II5KO/

reference_url

https://www.debian.org/security/2023/dsa-5365

reference_id

dsa-5365

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-12T18:24:35Z/

url

https://www.debian.org/security/2023/dsa-5365

reference_url

https://security.gentoo.org/glsa/202310-12

reference_id

GLSA-202310-12

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-12T18:24:35Z/

url

https://security.gentoo.org/glsa/202310-12

reference_url

https://lists.debian.org/debian-lts-announce/2023/02/msg00035.html

reference_id

msg00035.html

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-12T18:24:35Z/

url

https://lists.debian.org/debian-lts-announce/2023/02/msg00035.html

reference_url

https://security.netapp.com/advisory/ntap-20230309-0006/

reference_id

ntap-20230309-0006

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-12T18:24:35Z/

url

https://security.netapp.com/advisory/ntap-20230309-0006/

reference_url	https://access.redhat.com/errata/RHSA-2023:1140
reference_id	RHSA-2023:1140
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1140

reference_url	https://access.redhat.com/errata/RHSA-2023:1701
reference_id	RHSA-2023:1701
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1701

reference_url	https://access.redhat.com/errata/RHSA-2023:1842
reference_id	RHSA-2023:1842
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1842

reference_url	https://access.redhat.com/errata/RHSA-2023:3354
reference_id	RHSA-2023:3354
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3354

reference_url	https://access.redhat.com/errata/RHSA-2023:3355
reference_id	RHSA-2023:3355
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3355

reference_url	https://access.redhat.com/errata/RHSA-2023:3460
reference_id	RHSA-2023:3460
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3460

reference_url	https://access.redhat.com/errata/RHSA-2023:4139
reference_id	RHSA-2023:4139
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:4139

reference_url	https://usn.ubuntu.com/5891-1/
reference_id	USN-5891-1
reference_type
scores
url	https://usn.ubuntu.com/5891-1/

fixed_packages

url	pkg:apk/alpine/curl@7.88.0-r0?arch=s390x&distroversion=v3.20&reponame=main
purl	pkg:apk/alpine/curl@7.88.0-r0?arch=s390x&distroversion=v3.20&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/curl@7.88.0-r0%3Farch=s390x&distroversion=v3.20&reponame=main

aliases CVE-2023-23916

risk_score 3.0

exploitability 0.5

weighted_severity 5.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cfry-nx5h-kudv

url VCID-nwvb-d466-4uaa

vulnerability_id VCID-nwvb-d466-4uaa

summary A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23915.json

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23915.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-23915

reference_id

reference_type

scores

value	0.00039
scoring_system	epss
scoring_elements	0.11875
published_at	2026-06-04T12:55:00Z

value	0.00039
scoring_system	epss
scoring_elements	0.11961
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-23915

reference_url

https://curl.se/docs/CVE-2023-23915.html

reference_id

reference_type

scores

value	Low
scoring_system	cvssv3.1
scoring_elements

url

https://curl.se/docs/CVE-2023-23915.html

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23915
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23915

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url	https://hackerone.com/reports/1814333
reference_id
reference_type
scores
url	https://hackerone.com/reports/1814333

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031371
reference_id	1031371
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031371

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2167813
reference_id	2167813
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2167813

reference_url

https://security.gentoo.org/glsa/202310-12

reference_id

GLSA-202310-12

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-03T18:46:29Z/

url

https://security.gentoo.org/glsa/202310-12

reference_url

https://security.netapp.com/advisory/ntap-20230309-0006/

reference_id

ntap-20230309-0006

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-03T18:46:29Z/

url

https://security.netapp.com/advisory/ntap-20230309-0006/

reference_url	https://access.redhat.com/errata/RHSA-2023:3354
reference_id	RHSA-2023:3354
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3354

reference_url	https://access.redhat.com/errata/RHSA-2023:3355
reference_id	RHSA-2023:3355
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3355

reference_url	https://usn.ubuntu.com/5891-1/
reference_id	USN-5891-1
reference_type
scores
url	https://usn.ubuntu.com/5891-1/

fixed_packages

url	pkg:apk/alpine/curl@7.88.0-r0?arch=s390x&distroversion=v3.20&reponame=main
purl	pkg:apk/alpine/curl@7.88.0-r0?arch=s390x&distroversion=v3.20&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/curl@7.88.0-r0%3Farch=s390x&distroversion=v3.20&reponame=main

aliases CVE-2023-23915

risk_score 1.9

exploitability 0.5

weighted_severity 3.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nwvb-d466-4uaa

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/curl@7.88.0-r0%3Farch=s390x&distroversion=v3.20&reponame=main

Package Instance