2253848 – (CVE-2023-6337) CVE-2023-6337 hashicorp-vault: denial of service through memory exhaustion

Bug 2253848 (CVE-2023-6337) - CVE-2023-6337 hashicorp-vault: denial of service through memory exhaustion

Summary: CVE-2023-6337 hashicorp-vault: denial of service through memory exhaustion

Keywords:
Status:	NEW
Alias:	CVE-2023-6337
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2253849
TreeView+	depends on / blocked

Reported:	2023-12-10 09:44 UTC by ybuenos
Modified:	2025-05-22 13:25 UTC (History)
CC List:	17 users (show)
Fixed In Version:	hashicorp-vault 1.15.4, hashicorp-vault 1.14.8, hashicorp-vault 1.13.12
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description ybuenos 2023-12-10 09:44:56 UTC

HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash.

Fixed in Vault 1.15.4, 1.14.8, 1.13.12.

https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741

Note You need to log in before you can comment on or make changes to this bug.