Fluid Attacks Database

Description

Hashicorp Vault vulnerable to denial of service through memory exhaustion Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint. An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself.

This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/hashicorp/vault	>=1.2.0 <1.18.1	1.18.1
go	github.com/openbao/openbao	>=0 <2.0.3	2.0.3

Aliases

1. CVE-2024-81852. NVD-2024-81853. OSV-2024-81854. GCVE-2024-8185

References

1. https://github.com/hashicorp/vault/commit/195dfca433028887973f5bd82d173d91fe9dab4a2. https://discuss.hashicorp.com/t/hcsec-2024-26-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-processing-raft-cluster-join-requests/710473. https://openbao.org/docs/release-notes/2-0-0/#203

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.