{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-5954","assignerOrgId":"67fedba0-ff2e-4543-ba5b-aa93e87718cc","state":"PUBLISHED","assignerShortName":"HashiCorp","dateReserved":"2023-11-03T16:18:00.469Z","datePublished":"2023-11-09T20:13:49.346Z","dateUpdated":"2025-02-13T17:25:58.499Z"},"containers":{"cna":{"providerMetadata":{"orgId":"67fedba0-ff2e-4543-ba5b-aa93e87718cc","shortName":"HashiCorp","dateUpdated":"2023-12-27T15:06:30.558Z"},"title":"Vault Requests Triggering Policy Checks May Lead To Unbounded Memory Consumption","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-401","description":"CWE-401: Missing Release of Memory after Effective Lifetime","type":"CWE"}]}],"affected":[{"vendor":"HashiCorp","product":"Vault","platforms":["Windows","MacOS","Linux","x86","ARM","64 bit","32 bit"],"versions":[{"status":"affected","version":"1.15.0"},{"status":"affected","version":"1.15.1"},{"status":"affected","version":"1.14.3"},{"status":"affected","version":"1.14.4"},{"status":"affected","version":"1.14.5"},{"status":"affected","version":"1.13.7"},{"status":"affected","version":"1.13.8"},{"status":"affected","version":"1.13.9"}],"defaultStatus":"unaffected"},{"vendor":"HashiCorp","product":"Vault Enterprise","platforms":["Windows","MacOS","Linux","x86","ARM","64 bit","32 bit"],"versions":[{"status":"affected","version":"1.15.0"},{"status":"affected","version":"1.15.1"},{"status":"affected","version":"1.14.3"},{"status":"affected","version":"1.14.4"},{"status":"affected","version":"1.14.5"},{"status":"affected","version":"1.13.7"},{"status":"affected","version":"1.13.8"},{"status":"affected","version":"1.13.9"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.","supportingMedia":[{"type":"text/html","base64":false,"value":"HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10."}]}],"references":[{"url":"https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926"},{"url":"https://security.netapp.com/advisory/ntap-20231227-0001/"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseSeverity":"MEDIUM","baseScore":5.9,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}}],"source":{"discovery":"INTERNAL"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T08:14:25.126Z"},"title":"CVE Program Container","references":[{"url":"https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926","tags":["x_transferred"]},{"url":"https://security.netapp.com/advisory/ntap-20231227-0001/","tags":["x_transferred"]}]}]}}