{"id":"GHSA-6p62-6cg9-f5f5","summary":"Memory exhaustion in HashiCorp Vault","details":"HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash.\n\nFixed in Vault 1.15.4, 1.14.8, 1.13.12.","aliases":["BIT-vault-2023-6337","CVE-2023-6337","GO-2023-2399"],"modified":"2025-02-13T19:28:18Z","published":"2023-12-09T00:35:05Z","database_specific":{"github_reviewed_at":"2023-12-12T00:50:13Z","github_reviewed":true,"severity":"HIGH","cwe_ids":["CWE-770"],"nvd_published_at":"2023-12-08T22:15:07Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6337"},{"type":"WEB","url":"https://github.com/hashicorp/vault/pull/24354"},{"type":"WEB","url":"https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741"},{"type":"PACKAGE","url":"https://github.com/hashicorp/vault"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20240112-0006"}],"affected":[{"package":{"name":"github.com/hashicorp/vault","ecosystem":"Go","purl":"pkg:golang/github.com/hashicorp/vault"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.15.0"},{"fixed":"1.15.4"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-6p62-6cg9-f5f5/GHSA-6p62-6cg9-f5f5.json"}},{"package":{"name":"github.com/hashicorp/vault","ecosystem":"Go","purl":"pkg:golang/github.com/hashicorp/vault"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.14.0"},{"fixed":"1.14.8"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-6p62-6cg9-f5f5/GHSA-6p62-6cg9-f5f5.json"}},{"package":{"name":"github.com/hashicorp/vault","ecosystem":"Go","purl":"pkg:golang/github.com/hashicorp/vault"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.12.0"},{"fixed":"1.13.12"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-6p62-6cg9-f5f5/GHSA-6p62-6cg9-f5f5.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}