// For flags

CVE-2023-6337

Vault May be Vulnerable to a Denial of Service Through Memory Exhaustion When Handling Large HTTP Requests

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash.

Fixed in Vault 1.15.4, 1.14.8, 1.13.12.

HashiCorp Vault y Vault Enterprise 1.12.0 y versiones posteriores son vulnerables a una denegación de servicio debido al agotamiento de la memoria del host cuando se manejan grandes solicitudes HTTP autenticadas y no autenticadas de un cliente. Vault intentará asignar la solicitud a la memoria, lo que provocará que se agote la memoria disponible en el host, lo que puede provocar que Vault falle. Corregido en Vault 1.15.4, 1.14.8, 1.13.12.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-11-27 CVE Reserved
  • 2023-12-08 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-11-07 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
  • CAPEC-130: Excessive Allocation
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Hashicorp
Search vendor "Hashicorp"
Vault
Search vendor "Hashicorp" for product "Vault"
<= 1.12.0
Search vendor "Hashicorp" for product "Vault" and version " <= 1.12.0"
-
Affected
Hashicorp
Search vendor "Hashicorp"
Vault
Search vendor "Hashicorp" for product "Vault"
<= 1.12.0
Search vendor "Hashicorp" for product "Vault" and version " <= 1.12.0"
enterprise
Affected
Hashicorp
Search vendor "Hashicorp"
Vault
Search vendor "Hashicorp" for product "Vault"
>= 1.13.0 < 1.13.12
Search vendor "Hashicorp" for product "Vault" and version " >= 1.13.0 < 1.13.12"
-
Affected
Hashicorp
Search vendor "Hashicorp"
Vault
Search vendor "Hashicorp" for product "Vault"
>= 1.13.0 < 1.13.12
Search vendor "Hashicorp" for product "Vault" and version " >= 1.13.0 < 1.13.12"
enterprise
Affected
Hashicorp
Search vendor "Hashicorp"
Vault
Search vendor "Hashicorp" for product "Vault"
>= 1.14.0 < 1.14.8
Search vendor "Hashicorp" for product "Vault" and version " >= 1.14.0 < 1.14.8"
-
Affected
Hashicorp
Search vendor "Hashicorp"
Vault
Search vendor "Hashicorp" for product "Vault"
>= 1.14.0 < 1.14.8
Search vendor "Hashicorp" for product "Vault" and version " >= 1.14.0 < 1.14.8"
enterprise
Affected
Hashicorp
Search vendor "Hashicorp"
Vault
Search vendor "Hashicorp" for product "Vault"
>= 1.15.0 < 1.15.4
Search vendor "Hashicorp" for product "Vault" and version " >= 1.15.0 < 1.15.4"
-
Affected
Hashicorp
Search vendor "Hashicorp"
Vault
Search vendor "Hashicorp" for product "Vault"
>= 1.15.0 < 1.15.4
Search vendor "Hashicorp" for product "Vault" and version " >= 1.15.0 < 1.15.4"
enterprise
Affected