CVE-2023-6337

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-6337
HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash. Fixed in Vault 1.15.4, 1.14.8, 1.13.12.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741 Vendor Advisory
https://security.netapp.com/advisory/ntap-20240112-0006/
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
History

12 Jan 2024, 14:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20240112-0006/ -

13 Dec 2023, 18:06

Type Values Removed Values Added
First Time Hashicorp
Hashicorp vault
References () https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741 - () https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741 - Vendor Advisory
Summary
  • (es) HashiCorp Vault y Vault Enterprise 1.12.0 y versiones posteriores son vulnerables a una denegación de servicio debido al agotamiento de la memoria del host cuando se manejan grandes solicitudes HTTP autenticadas y no autenticadas de un cliente. Vault intentará asignar la solicitud a la memoria, lo que provocará que se agote la memoria disponible en el host, lo que puede provocar que Vault falle. Corregido en Vault 1.15.4, 1.14.8, 1.13.12.
CPE cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*

08 Dec 2023, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-12-08 22:15

Updated : 2024-01-12 14:15

NVD link : CVE-2023-6337

Mitre link : CVE-2023-6337

CVE.ORG link : CVE-2023-6337

JSON object : View

Products Affected

hashicorp

  • vault
CWE
CWE-770

Allocation of Resources Without Limits or Throttling