CVE-2024-8185

Summary

Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself.

This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.

Affected Software

VendorProductVersion RangeStatus
HashiCorpVault1.2.0 < 1.18.1affected
HashiCorpVault Enterprise1.2.0 < 1.18.1affected

Weaknesses

  • CWE-636: CWE-636: Not Failing Securely (Failing Open)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References