Vulnerability Details : CVE-2023-5954
HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.
Vulnerability category: Denial of service
Products affected by CVE-2023-5954
- cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
- cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
- cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
- cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-5954
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 39 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-5954
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
2.2
|
3.6
|
HashiCorp Inc. |
CWE ids for CVE-2023-5954
-
The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.Assigned by:
- nvd@nist.gov (Primary)
- security@hashicorp.com (Secondary)
References for CVE-2023-5954
-
https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926
HCSEC-2023-33 - Vault Requests Triggering Policy Checks May Lead To Unbounded Memory Consumption - Security - HashiCorp DiscussVendor Advisory
-
https://security.netapp.com/advisory/ntap-20231227-0001/
CVE-2023-5954 HashiCorp Vault Vulnerability in NetApp Products | NetApp Product Security
Jump to