CVE-2023-6337 — Allocation of Resources Without Limits or Throttling in Vault

CWE-770 — Allocation of Resources Without Limits or Throttling6 documents5 sources

Severity

7.5HIGHNVD

EPSS

1.0%

top 22.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Vault Hashicorp Vault Enterprise Github.com Hashicorp Vault +5 more

Timeline

PublishedDec 8

Latest updateJan 3

Description

HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash. Fixed in Vault 1.15.4, 1.14.8, 1.13.12.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages9 packages

▶CVEListV5hashicorp/vault_enterprise1.12.0 — 1.15.4

▶CVEListV5hashicorp/vault1.12.0 — 1.15.4

▶NVDhashicorp/vault1.13.0 — 1.13.12+3

▶Gogithub.com/hashicorp_vault1.12.0 — 1.13.12+2

▶msrcmsrc/azure_linux_3.0_arm

🔴Vulnerability Details

OSV

Denial of service via memory exhaustion in github.com/hashicorp/vault↗2024-01-03

▶

GHSA

Memory exhaustion in HashiCorp Vault↗2023-12-09

▶

OSV

Memory exhaustion in HashiCorp Vault↗2023-12-09

▶

📋Vendor Advisories

Microsoft

Vault May be Vulnerable to a Denial of Service Through Memory Exhaustion When Handling Large HTTP Requests↗2023-12-12

▶

Red Hat

hashicorp-vault: denial of service through memory exhaustion↗2023-12-08

▶