CVE-2021-45042Uncontrolled Resource Consumption in Vault

CWE-400Uncontrolled Resource Consumption3 documents3 sources
Severity
4.9MEDIUMNVD
EPSS
0.4%
top 37.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Hashicorp Vault
Timeline
PublishedDec 17
Latest updateDec 18

Description

In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 1.2 | Impact: 3.6

Affected Packages1 packages

NVDhashicorp/vault1.4.01.7.7+2

🔴Vulnerability Details

1
GHSA
GHSA-cr6r-4g38-f69g: In HashiCorp Vault and Vault Enterprise before 12021-12-18

📋Vendor Advisories

1
Red Hat
vault: clusters using the integrated storage backend allowed an authenticated user to cause a DoS of the storage backend2021-12-13