blob: cf45e8147eac31c07cc87a6774cae8be3385c110 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2023-2399",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2023-6337",
"GHSA-6p62-6cg9-f5f5"
],
"summary": "Denial of service via memory exhaustion in github.com/hashicorp/vault",
"details": "Unauthenticated and authenticated HTTP requests from a client will be attempted to be mapped to memory. Large requests may result in the exhaustion of available memory on the host, which may cause crashes and denial of service.",
"affected": [
{
"package": {
"name": "github.com/hashicorp/vault",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.12.0"
},
{
"fixed": "1.13.12"
},
{
"introduced": "1.14.0"
},
{
"fixed": "1.14.8"
},
{
"introduced": "1.15.0"
},
{
"fixed": "1.15.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/hashicorp/vault/helper/forwarding",
"symbols": [
"GenerateForwardedHTTPRequest",
"GenerateForwardedRequest"
]
},
{
"path": "github.com/hashicorp/vault/http",
"symbols": [
"HandlerAnchor.Handler",
"TestServer",
"TestServerWithListener",
"TestServerWithListenerAndProperties",
"handler",
"parseFormRequest",
"parseJSONRequest",
"rateLimitQuotaWrapping",
"wrapGenericHandler"
]
},
{
"path": "github.com/hashicorp/vault/vault",
"symbols": [
"Core.DetermineRoleFromLoginRequest",
"Core.DetermineRoleFromLoginRequestFromBytes",
"Core.ForwardRequest",
"Core.HandleRequest",
"NewSystemBackend",
"NewTestCluster",
"SystemBackend.handleStorageRaftSnapshotWrite",
"TestCluster.InitCores",
"TestCoreUnsealed",
"TestCoreUnsealedRaw",
"TestCoreUnsealedWithConfig",
"TestCoreUnsealedWithMetrics",
"TestCoreWithCustomResponseHeaderAndUI"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6337"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741"
},
{
"type": "FIX",
"url": "https://github.com/hashicorp/vault/pull/24354"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-2399",
"review_status": "REVIEWED"
}
}