Veracode Vulnerability DatabaseVERACODE:33404Denial Of Service (DoS)
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:N/I:N/A:C
github.com/hashicorp/vault is vulnerable to denial of service. The vulnerability exists input function of raft.go because the entry key size is never checked with the max key size which leads to an application crash.
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/hashicorp/vault | le | v1.9.0 | |
| github.com/hashicorp/vault | le | v1.9.0 |
References
discuss.hashicorp.com/t/hcsec2-21-33-vault-s-kv-secrets-engine-with-integrated-storage-exposed-to-authenticated-denial-of-service/33157
github.com/hashicorp/vault/commit/231b56503684356c6e15245f9382b8d0b8c42091
github.com/hashicorp/vault/commit/7c65db6bc53b2f9fff15c5134656ee3b2c5c6d0e
github.com/hashicorp/vault/issues/13281
github.com/hashicorp/vault/pull/13282
github.com/hashicorp/vault/pull/13286
security.gentoo.org/glsa/202207-01
www.hashicorp.com/blog/category/vault
Related
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:N/I:N/A:C