vulndb/data/osv/GO-2023-2399.json

{
  "schema_version": "1.3.1",
  "id": "GO-2023-2399",
  "modified": "0001-01-01T00:00:00Z",
  "published": "0001-01-01T00:00:00Z",
  "aliases": [
    "CVE-2023-6337",
    "GHSA-6p62-6cg9-f5f5"
  ],
  "summary": "Denial of service via memory exhaustion in github.com/hashicorp/vault",
  "details": "Unauthenticated and authenticated HTTP requests from a client will be attempted to be mapped to memory. Large requests may result in the exhaustion of available memory on the host, which may cause crashes and denial of service.",
  "affected": [
    {
      "package": {
        "name": "github.com/hashicorp/vault",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "1.12.0"
            },
            {
              "fixed": "1.13.12"
            },
            {
              "introduced": "1.14.0"
            },
            {
              "fixed": "1.14.8"
            },
            {
              "introduced": "1.15.0"
            },
            {
              "fixed": "1.15.4"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "imports": [
          {
            "path": "github.com/hashicorp/vault/helper/forwarding",
            "symbols": [
              "GenerateForwardedHTTPRequest",
              "GenerateForwardedRequest"
            ]
          },
          {
            "path": "github.com/hashicorp/vault/http",
            "symbols": [
              "HandlerAnchor.Handler",
              "TestServer",
              "TestServerWithListener",
              "TestServerWithListenerAndProperties",
              "handler",
              "parseFormRequest",
              "parseJSONRequest",
              "rateLimitQuotaWrapping",
              "wrapGenericHandler"
            ]
          },
          {
            "path": "github.com/hashicorp/vault/vault",
            "symbols": [
              "Core.DetermineRoleFromLoginRequest",
              "Core.DetermineRoleFromLoginRequestFromBytes",
              "Core.ForwardRequest",
              "Core.HandleRequest",
              "NewSystemBackend",
              "NewTestCluster",
              "SystemBackend.handleStorageRaftSnapshotWrite",
              "TestCluster.InitCores",
              "TestCoreUnsealed",
              "TestCoreUnsealedRaw",
              "TestCoreUnsealedWithConfig",
              "TestCoreUnsealedWithMetrics",
              "TestCoreWithCustomResponseHeaderAndUI"
            ]
          }
        ]
      }
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6337"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741"
    },
    {
      "type": "FIX",
      "url": "https://github.com/hashicorp/vault/pull/24354"
    }
  ],
  "database_specific": {
    "url": "https://pkg.go.dev/vuln/GO-2023-2399",
    "review_status": "REVIEWED"
  }
}
data/reports: add GO-2023-2399.yaml Aliases: CVE-2023-6337, GHSA-6p62-6cg9-f5f5 Fixes golang/vulndb#2399 Change-Id: Ib7a3ac1cf3977dcc0345786f706d5169df79eac9 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/551996 Run-TryBot: Tim King <taking@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> 2023-12-20 03:40:32 +03:00			`{`
			`"schema_version": "1.3.1",`
			`"id": "GO-2023-2399",`
			`"modified": "0001-01-01T00:00:00Z",`
			`"published": "0001-01-01T00:00:00Z",`
			`"aliases": [`
			`"CVE-2023-6337",`
			`"GHSA-6p62-6cg9-f5f5"`
			`],`
			`"summary": "Denial of service via memory exhaustion in github.com/hashicorp/vault",`
			`"details": "Unauthenticated and authenticated HTTP requests from a client will be attempted to be mapped to memory. Large requests may result in the exhaustion of available memory on the host, which may cause crashes and denial of service.",`
			`"affected": [`
			`{`
			`"package": {`
			`"name": "github.com/hashicorp/vault",`
			`"ecosystem": "Go"`
			`},`
			`"ranges": [`
			`{`
			`"type": "SEMVER",`
			`"events": [`
			`{`
			`"introduced": "1.12.0"`
			`},`
			`{`
			`"fixed": "1.13.12"`
			`},`
			`{`
			`"introduced": "1.14.0"`
			`},`
			`{`
			`"fixed": "1.14.8"`
			`},`
			`{`
			`"introduced": "1.15.0"`
			`},`
			`{`
			`"fixed": "1.15.4"`
			`}`
			`]`
			`}`
			`],`
			`"ecosystem_specific": {`
			`"imports": [`
			`{`
			`"path": "github.com/hashicorp/vault/helper/forwarding",`
			`"symbols": [`
			`"GenerateForwardedHTTPRequest",`
			`"GenerateForwardedRequest"`
			`]`
			`},`
			`{`
			`"path": "github.com/hashicorp/vault/http",`
			`"symbols": [`
			`"HandlerAnchor.Handler",`
			`"TestServer",`
			`"TestServerWithListener",`
			`"TestServerWithListenerAndProperties",`
			`"handler",`
			`"parseFormRequest",`
			`"parseJSONRequest",`
			`"rateLimitQuotaWrapping",`
			`"wrapGenericHandler"`
			`]`
			`},`
			`{`
			`"path": "github.com/hashicorp/vault/vault",`
			`"symbols": [`
			`"Core.DetermineRoleFromLoginRequest",`
			`"Core.DetermineRoleFromLoginRequestFromBytes",`
			`"Core.ForwardRequest",`
			`"Core.HandleRequest",`
			`"NewSystemBackend",`
			`"NewTestCluster",`
			`"SystemBackend.handleStorageRaftSnapshotWrite",`
			`"TestCluster.InitCores",`
			`"TestCoreUnsealed",`
			`"TestCoreUnsealedRaw",`
			`"TestCoreUnsealedWithConfig",`
			`"TestCoreUnsealedWithMetrics",`
			`"TestCoreWithCustomResponseHeaderAndUI"`
			`]`
			`}`
			`]`
			`}`
			`}`
			`],`
			`"references": [`
			`{`
			`"type": "ADVISORY",`
			`"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6337"`
			`},`
			`{`
			`"type": "WEB",`
			`"url": "https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741"`
			`},`
			`{`
			`"type": "FIX",`
			`"url": "https://github.com/hashicorp/vault/pull/24354"`
			`}`
			`],`
			`"database_specific": {`
data: apply REVIEWED status to all existing reports and osv Change-Id: I862c5bb24b9c08c29f0d437fd1be61da0319ef0d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/585517 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> 2024-05-14 22:19:00 +03:00			`"url": "https://pkg.go.dev/vuln/GO-2023-2399",`
			`"review_status": "REVIEWED"`
data/reports: add GO-2023-2399.yaml Aliases: CVE-2023-6337, GHSA-6p62-6cg9-f5f5 Fixes golang/vulndb#2399 Change-Id: Ib7a3ac1cf3977dcc0345786f706d5169df79eac9 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/551996 Run-TryBot: Tim King <taking@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> 2023-12-20 03:40:32 +03:00			`}`
			`}`