| { |
| "schema_version": "1.3.1", |
| "id": "GO-2023-2399", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2023-6337", |
| "GHSA-6p62-6cg9-f5f5" |
| ], |
| "summary": "Denial of service via memory exhaustion in github.com/hashicorp/vault", |
| "details": "Unauthenticated and authenticated HTTP requests from a client will be attempted to be mapped to memory. Large requests may result in the exhaustion of available memory on the host, which may cause crashes and denial of service.", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/hashicorp/vault", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "1.12.0" |
| }, |
| { |
| "fixed": "1.13.12" |
| }, |
| { |
| "introduced": "1.14.0" |
| }, |
| { |
| "fixed": "1.14.8" |
| }, |
| { |
| "introduced": "1.15.0" |
| }, |
| { |
| "fixed": "1.15.4" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/hashicorp/vault/helper/forwarding", |
| "symbols": [ |
| "GenerateForwardedHTTPRequest", |
| "GenerateForwardedRequest" |
| ] |
| }, |
| { |
| "path": "github.com/hashicorp/vault/http", |
| "symbols": [ |
| "HandlerAnchor.Handler", |
| "TestServer", |
| "TestServerWithListener", |
| "TestServerWithListenerAndProperties", |
| "handler", |
| "parseFormRequest", |
| "parseJSONRequest", |
| "rateLimitQuotaWrapping", |
| "wrapGenericHandler" |
| ] |
| }, |
| { |
| "path": "github.com/hashicorp/vault/vault", |
| "symbols": [ |
| "Core.DetermineRoleFromLoginRequest", |
| "Core.DetermineRoleFromLoginRequestFromBytes", |
| "Core.ForwardRequest", |
| "Core.HandleRequest", |
| "NewSystemBackend", |
| "NewTestCluster", |
| "SystemBackend.handleStorageRaftSnapshotWrite", |
| "TestCluster.InitCores", |
| "TestCoreUnsealed", |
| "TestCoreUnsealedRaw", |
| "TestCoreUnsealedWithConfig", |
| "TestCoreUnsealedWithMetrics", |
| "TestCoreWithCustomResponseHeaderAndUI" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "ADVISORY", |
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6337" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/hashicorp/vault/pull/24354" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2023-2399", |
| "review_status": "REVIEWED" |
| } |
| } |