Vault May be Vulnerable to a Denial of Service Through Memory Exhaustion When Handling Large HTTP Requests

CVE-2023-6337

7.5HIGH

Key Information

Vendor: HashiCorp
Status: Vault; Vault Enterprise
Vendor: CVE Published:; 8 December 2023

Summary

HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash. Fixed in Vault 1.15.4, 1.14.8, 1.13.12.

Affected Version(s)

Vault < 1.15.4

Vault Enterprise < 1.15.4

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Dec 8, 2023
Vulnerability Reserved.
Nov 27, 2023

Collectors

NVD DatabaseMitre Database