Vault May be Vulnerable to a Denial of Service Through Memory Exhaustion When Handling Large HTTP Requests
CVE-2023-6337

7.5HIGH

Key Information:

Vendor: HashiCorp
Status: Vault; Vault Enterprise
Vendor: CVE Published:; 8 December 2023

Summary

HashiCorp Vault and Vault Enterprise versions starting from 1.12.0 are susceptible to a denial of service threat. This vulnerability arises when the software processes large HTTP requests, both authenticated and unauthenticated, potentially exhausting the available memory on the host system. As Vault attempts to allocate memory for these requests, it can lead to crashes, impairing service availability. HashiCorp has addressed this vulnerability in versions 1.15.4, 1.14.8, and 1.13.12, making it crucial for users to update promptly.

Affected Version(s)

Vault Enterprise Windows 1.12.0 < 1.15.4

Vault Windows 1.12.0 < 1.15.4

References

https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulne...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 8, 2023
Vulnerability Reserved
Nov 27, 2023