Vault Requests Triggering Policy Checks May Lead To Unbounded Memory Consumption
CVE-2023-5954

5.9MEDIUM

Key Information:

Vendor
Hashicorp
Vendor
CVE Published:
9 November 2023

Summary

A vulnerability in HashiCorp Vault and Vault Enterprise allows inbound client requests that trigger a policy check to lead to unbounded memory consumption. This condition can escalate and result in denial-of-service occurrences, impacting the availability of the service. The vulnerability has been resolved in Vault versions 1.15.2, 1.14.6, and 1.13.10.

Affected Version(s)

Vault Enterprise Windows 1.15.0

Vault Enterprise Windows 1.15.1

Vault Enterprise Windows 1.14.3

References

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.