CVE-2023-5954

Summary

HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.

Affected Software

VendorProductVersion RangeStatus
HashiCorpVault1.15.0affected
HashiCorpVault1.15.1affected
HashiCorpVault1.14.3affected
HashiCorpVault1.14.4affected
HashiCorpVault1.14.5affected
HashiCorpVault1.13.7affected
HashiCorpVault1.13.8affected
HashiCorpVault1.13.9affected
HashiCorpVault Enterprise1.15.0affected
HashiCorpVault Enterprise1.15.1affected
HashiCorpVault Enterprise1.14.3affected
HashiCorpVault Enterprise1.14.4affected
HashiCorpVault Enterprise1.14.5affected
HashiCorpVault Enterprise1.13.7affected
HashiCorpVault Enterprise1.13.8affected
HashiCorpVault Enterprise1.13.9affected

Weaknesses

  • CWE-401: CWE-401: Missing Release of Memory after Effective Lifetime

ADP Enrichment

CVE Program Container

Additional References

References