Vault Requests Triggering Policy Checks May Lead To Unbounded Memory Consumption
CVE-2023-5954

7.5HIGH

Key Information:

Vendor: HashiCorp
Status: Vault; Vault Enterprise
Vendor: CVE Published:; 9 November 2023

Summary

HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.

Affected Version(s)

Vault Enterprise Windows 1.15.0

Vault Enterprise Windows 1.15.1

Vault Enterprise Windows 1.14.3

References

https://discuss.hashicorp.com/t/hcsec-2023-33-vault-reque...

https://security.netapp.com/advisory/ntap-20231227-0001/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 9, 2023
Vulnerability Reserved
Nov 3, 2023

Collectors

NVD DatabaseMitre Database