CVE-2023-5954
published 2023-11-09CVE-2023-5954: HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these…
PriorityP337high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.72%
49.2th percentile
HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 0 < 1.13.10 | 1.13.10 |
| github.com | hashicorp_vault | >= 1.14.0 < 1.14.6 | 1.14.6 |
| github.com | hashicorp_vault | >= 1.15.0 < 1.15.2 | 1.15.2 |
| hashicorp | vault | — | — |
| hashicorp | vault | — | — |
| hashicorp | vault | — | — |
| hashicorp | vault | — | — |
| hashicorp | vault | — | — |
| hashicorp | vault | — | — |
| hashicorp | vault | — | — |
| hashicorp | vault | — | — |
| hashicorp | vault | >= 1.13.7 < 1.13.10 | 1.13.10 |
| hashicorp | vault | >= 1.14.3 < 1.14.6 | 1.14.6 |
| hashicorp | vault | >= 1.15.0 < 1.15.2 | 1.15.2 |
| hashicorp | vault_enterprise | — | — |
| hashicorp | vault_enterprise | — | — |
| hashicorp | vault_enterprise | — | — |
| hashicorp | vault_enterprise | — | — |
| hashicorp | vault_enterprise | — | — |
| hashicorp | vault_enterprise | — | — |
| hashicorp | vault_enterprise | — | — |
| hashicorp | vault_enterprise | — | — |
| mozilla | firefox | >= 0 < 111.0.1+build2-0ubuntu0.18.04.1 | 111.0.1+build2-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 111.0.1+build2-0ubuntu0.20.04.1 | 111.0.1+build2-0ubuntu0.20.04.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv4.3MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault
osv·2024-08-21
CVE-2023-5954 HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault
HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault
HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault
OSV
HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability
osv·2023-11-09
CVE-2023-5954 [HIGH] HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability
HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability
HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.
GHSA
HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability
ghsa·2023-11-09
CVE-2023-5954 [HIGH] CWE-401 HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability
HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability
HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.
OSV
firefox regressions
osv·2023-03-27·CVSS 4.3
CVE-2023-25750 firefox regressions
firefox regressions
USN-5954-1 fixed vulnerabilities in Firefox. The update introduced
several minor regressions. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2023-25750,
CVE-2023-25752, CVE-2023-28162, CVE-2023-28176, CVE-2023-28177)
Lukas Bernhard discovered that Firefox did not properly manage memory
when invalidating JIT code while following an iterator. An attacker could
potentially exploits this issue to cause a denial of service.
(CVE-2023-25751)
Rob Wu discovered
Red Hat
vault: inbound client requests can trigger a denial of service
vendor_redhat·2023-11-09·CVSS 5.9
CVE-2023-5954 [MEDIUM] CWE-401 vault: inbound client requests can trigger a denial of service
vault: inbound client requests can trigger a denial of service
HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.
A flaw was found in The HashiCorp Vault, which may be susceptible to a denial of service due to an unbounded consumption of memory when handling policy requests. This issue may allow an attacker to trigger policy checks by sending multiple inbound client requests that create a logger that is never removed from memory, leading to excessive memory consumption, causing a denial of service condition.
Package: odf4/ocs-rhel9-operator (Red Hat Openshift Data Foundation 4) - Not affected
Pack
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926https://security.netapp.com/advisory/ntap-20231227-0001/https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926https://security.netapp.com/advisory/ntap-20231227-0001/
2023-11-09
Published