Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself. This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HHashicorp Vault
APPHashicorp1.18.01.2.0 – 1.16.12 (bez)1.2.0 – 1.18.1 (bez)1.17.0 – 1.17.8 (bez)Openbao
APPOpenbao< 2.0.3
Related vulnerabilities
OpenBao: zdalne phishing przez JWT/OIDC bez potwierdzenia logowania
XSS w OpenBao — kradzież tokenu Web UI przez parametr error_description
OpenBao: ominięcie restrykcji przez subsystem audytu — RCE i dostęp sieciowy
HashiCorp Vault: RCE przez uprzywilejowanego operatora via sys/audit
An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity...