High severityNVD Advisory· Published Oct 31, 2024· Updated Oct 31, 2024
Vault Vulnerable to Denial of Service When Processing Raft Join Requests
CVE-2024-8185
Description
Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself.
This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/vaultGo | >= 1.2.0, < 1.18.1 | 1.18.1 |
github.com/openbao/openbaoGo | < 2.0.3 | 2.0.3 |
Affected products
13- osv-coords11 versionspkg:apk/chainguard/vault-1.18pkg:apk/chainguard/vault-1.18-compatpkg:bitnami/vaultpkg:golang/github.com/hashicorp/vaultpkg:golang/github.com/openbao/openbaopkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Package%20Hub%2012
< 1.18.1-r0+ 10 more
- (no CPE)range: < 1.18.1-r0
- (no CPE)range: < 1.18.1-r0
- (no CPE)range: >= 1.2.0, < 1.18.1
- (no CPE)range: >= 1.2.0, < 1.18.1
- (no CPE)range: < 2.0.3
- (no CPE)range: < 0.0.20241104T154416-150000.1.12.1
- (no CPE)range: < 0.0.20241104T154416-150000.1.12.1
- (no CPE)range: < 0.0.20241101T215616-1.1
- (no CPE)range: < 0.0.20241104T154416-150000.1.12.1
- (no CPE)range: < 0.0.20241104T154416-150000.1.12.1
- (no CPE)range: < 0.0.20241104T154416-5.1
- Range: 1.2.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-g233-2p4r-3q7vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-8185ghsaADVISORY
- discuss.hashicorp.com/t/hcsec-2024-26-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-processing-raft-cluster-join-requests/71047ghsaWEB
- github.com/hashicorp/vault/commit/195dfca433028887973f5bd82d173d91fe9dab4aghsaWEB
- openbao.org/docs/release-notes/2-0-0/ghsaWEB
News mentions
0No linked articles in our index yet.