2322958 – (CVE-2024-8185) CVE-2024-8185 hashicorp/vault: Vault Vulnerable to Denial of Service When Processing Raft Join Requests

Bug 2322958 (CVE-2024-8185) - CVE-2024-8185 hashicorp/vault: Vault Vulnerable to Denial of Service When Processing Raft Join Requests

Summary: CVE-2024-8185 hashicorp/vault: Vault Vulnerable to Denial of Service When Pro...

Keywords:
Status:	NEW
Alias:	CVE-2024-8185
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2323231 2323232 2323233 2323234 2323235
Blocks:
TreeView+	depends on / blocked

Reported:	2024-10-31 16:01 UTC by OSIDB Bzimport
Modified:	2024-11-04 19:26 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-10-31 16:01:18 UTC

Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself.

This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.

Note You need to log in before you can comment on or make changes to this bug.