Vulnerabilities > CVE-2023-5954 - Memory Leak vulnerability in Hashicorp Vault

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

hashicorp

CWE-401

NVD

Published: 2023-11-09

Updated: 2023-12-27

Summary

HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.

Vulnerable Configurations

Part	Description	Count
Application	Hashicorp Hashicorp Vault 1.15.0 Hashicorp Vault * Hashicorp Vault 1.14.3 Hashicorp Vault 1.14.4 Hashicorp Vault 1.13.7 Hashicorp Vault 1.13.8	8

Common Weakness Enumeration (CWE)

CWE-401 - Improper Release of Memory Before Removing Last Reference ('Memory Leak')

References

https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926
https://security.netapp.com/advisory/ntap-20231227-0001/