Vault Requests Triggering Policy Checks May Lead To Unbounded Memory Consumption
CVE-2023-5954

7.5HIGH

Key Information:

Vendor: HashiCorp
Status: Vault; Vault Enterprise
Vendor: CVE Published:; 9 November 2023

Summary

A vulnerability in HashiCorp Vault and Vault Enterprise allows inbound client requests that trigger a policy check to lead to unbounded memory consumption. This condition can escalate and result in denial-of-service occurrences, impacting the availability of the service. The vulnerability has been resolved in Vault versions 1.15.2, 1.14.6, and 1.13.10.

Affected Version(s)

Vault Enterprise Windows 1.15.0

Vault Enterprise Windows 1.15.1

Vault Enterprise Windows 1.14.3

References

https://discuss.hashicorp.com/t/hcsec-2023-33-vault-reque...

https://security.netapp.com/advisory/ntap-20231227-0001/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 9, 2023
Vulnerability Reserved
Nov 3, 2023