{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-6337","assignerOrgId":"67fedba0-ff2e-4543-ba5b-aa93e87718cc","state":"PUBLISHED","assignerShortName":"HashiCorp","dateReserved":"2023-11-27T18:55:16.606Z","datePublished":"2023-12-08T21:12:31.712Z","dateUpdated":"2025-02-13T17:26:18.153Z"},"containers":{"cna":{"providerMetadata":{"orgId":"67fedba0-ff2e-4543-ba5b-aa93e87718cc","shortName":"HashiCorp","dateUpdated":"2024-01-12T14:06:26.047Z"},"title":"Vault May be Vulnerable to a Denial of Service Through Memory Exhaustion When Handling Large HTTP Requests","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-770","description":"CWE-770 Allocation of Resources Without Limits or Throttling","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-130","descriptions":[{"lang":"en","value":"CAPEC-130 Excessive Allocation"}]}],"affected":[{"vendor":"HashiCorp","product":"Vault","platforms":["Windows","MacOS","Linux","x86","ARM","64 bit","32 bit"],"repo":"https://github.com/hashicorp/vault","versions":[{"status":"affected","version":"1.12.0","lessThan":"1.15.4","changes":[{"at":"1.14.8","status":"unaffected"},{"at":"1.13.2","status":"unaffected"}],"versionType":"semver"}],"defaultStatus":"unaffected"},{"vendor":"HashiCorp","product":"Vault Enterprise","platforms":["Windows","MacOS","Linux","x86","ARM","64 bit","32 bit"],"versions":[{"status":"affected","version":"1.12.0","lessThan":"1.15.4","changes":[{"at":"1.14.8","status":"unaffected"},{"at":"1.13.2","status":"unaffected"}],"versionType":"semver"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash.\n\nFixed in Vault 1.15.4, 1.14.8, 1.13.12.","supportingMedia":[{"type":"text/html","base64":false,"value":"<span style=\"background-color: transparent;\">HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash.<br><br>Fixed in&nbsp;<span style=\"background-color: transparent;\">Vault 1.15.4, 1.14.8, 1.13.12.</span><br></span><br>"}]}],"references":[{"url":"https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741"},{"url":"https://security.netapp.com/advisory/ntap-20240112-0006/"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseSeverity":"HIGH","baseScore":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}],"source":{"advisory":"HCSEC-2023-34","discovery":"USER"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T08:28:21.284Z"},"title":"CVE Program Container","references":[{"url":"https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741","tags":["x_transferred"]},{"url":"https://security.netapp.com/advisory/ntap-20240112-0006/","tags":["x_transferred"]}]}]}}