Lucene search

GitHub Advisory DatabaseGHSA-4QHC-V8R6-8VWM

HistoryNov 09, 2023 - 9:30 p.m.

HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability

2023-11-0921:30:39

CWE-401

GitHub Advisory Database

github.com

143

hashicorp

vault

memory leak

vulnerability

fix

software

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.0%

JSON

HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.

Affected configurations

Vulners

Node

hashicorpvaultRange<1.15.2

hashicorpvaultRange<1.14.6

hashicorpvaultRange<1.13.10

CPENameOperatorVersion
github.com/hashicorp/vaultlt1.15.2
github.com/hashicorp/vaultlt1.14.6
github.com/hashicorp/vaultlt1.13.10

Name	Operator	Version
github.com/hashicorp/vault	lt	1.15.2
github.com/hashicorp/vault	lt	1.14.6
github.com/hashicorp/vault	lt	1.13.10

References

discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926

github.com/advisories/GHSA-4qhc-v8r6-8vwm

nvd.nist.gov/vuln/detail/CVE-2023-5954

security.netapp.com/advisory/ntap-20231227-0001/

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for GHSA-4QHC-V8R6-8VWM