x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-g233-2p4r-3q7v #3246

GoVulnBot · 2024-10-31T21:01:26Z

Advisory GHSA-g233-2p4r-3q7v references a vulnerability in the following Go modules:

Module
github.com/hashicorp/vault

Description:
Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint. An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself.

This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.

References:

Cross references:

github.com/hashicorp/vault appears in 36 other report(s):
- data/reports/GO-2022-0578.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-362v-wg5p-64w2 #578)
- data/reports/GO-2022-0590.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-c5wc-v287-82pc #590)
- data/reports/GO-2022-0611.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-pfmw-vj74-ph8g #611)
- data/reports/GO-2022-0618.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-qv95-g3gm-x542 #618)
- data/reports/GO-2022-0620.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-23fq-q7hc-993r #620)
- data/reports/GO-2022-0623.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-38j9-7pp9-2hjw #623)
- data/reports/GO-2022-0632.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6239-28c2-9mrm, CVE-2021-38554 #632)
- data/reports/GO-2022-0778.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault/command: GHSA-25xj-89g5-fm6h #778)
- data/reports/GO-2022-0816.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9vh5-r4qw-v3vv #816)
- data/reports/GO-2022-0825.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-fp52-qw33-mfmw #825)
- data/reports/GO-2022-1021.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-7cgv-v83v-rr87 #1021)
- data/reports/GO-2023-1685.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v3hp-mcj5-pg39 #1685)
- data/reports/GO-2023-1708.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-hwc3-3qh6-r4gg #1708)
- data/reports/GO-2023-1709.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-vq4h-9ghm-qmrr #1709)
- data/reports/GO-2023-1849.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gq98-53rq-qr5h #1849)
- data/reports/GO-2023-1897.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9mh8-9j64-443f #1897)
- data/reports/GO-2023-1900.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-wmg5-g953-qqfw #1900)
- data/reports/GO-2023-1986.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9v3w-w2jh-4hff #1986)
- data/reports/GO-2023-2063.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v84f-6r39-cpfc #2063)
- data/reports/GO-2023-2088.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-86c6-3g63-5w64 #2088)
- data/reports/GO-2023-2329.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-4qhc-v8r6-8vwm #2329)
- data/reports/GO-2023-2399.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6p62-6cg9-f5f5 #2399)
- data/reports/GO-2024-2485.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault/vault: GHSA-j6vv-vv26-rh7c #2485)
- data/reports/GO-2024-2486.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault/vault: GHSA-m979-w9wj-qfj9 #2486)
- data/reports/GO-2024-2488.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault/vault: GHSA-4mp7-2m29-gqxf #2488)
- data/reports/GO-2024-2508.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-rpgp-9hmg-j25x #2508)
- data/reports/GO-2024-2509.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-rq95-xf66-j689 #2509)
- data/reports/GO-2024-2511.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: CVE-2024-0831 #2511)
- data/reports/GO-2024-2514.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-57gg-cj55-q5g2 #2514)
- data/reports/GO-2024-2617.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-r3w7-mfpm-c2vw #2617)
- data/reports/GO-2024-2690.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-j2rp-gmqv-frhv #2690)
- data/reports/GO-2024-2921.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-32cj-5wx4-gq8p #2921)
- data/reports/GO-2024-2982.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-2qmw-pvf7-4mw6 #2982)
- data/reports/GO-2024-3113.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-jjxf-26c9-77gm #3113)
- data/reports/GO-2024-3162.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-jg74-mwgw-v6x3 #3162)
- data/reports/GO-2024-3191.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-rr8j-7w34-xp5j #3191)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp/vault
      versions:
        - introduced: 1.2.0
        - fixed: 1.18.1
      vulnerable_at: 1.18.0
summary: Hashicorp Vault vulnerable to denial of service through memory exhaustion in github.com/hashicorp/vault
cves:
    - CVE-2024-8185
ghsas:
    - GHSA-g233-2p4r-3q7v
references:
    - advisory: https://github.com/advisories/GHSA-g233-2p4r-3q7v
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8185
    - fix: https://github.com/hashicorp/vault/commit/195dfca433028887973f5bd82d173d91fe9dab4a
    - web: https://discuss.hashicorp.com/t/hcsec-2024-26-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-processing-raft-cluster-join-requests/71047
source:
    id: GHSA-g233-2p4r-3q7v
    created: 2024-10-31T21:01:26.317811365Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-11-01T20:44:09Z

Change https://go.dev/cl/624496 mentions this issue: data/reports: add GO-2024-3246

zpavlinovic added the triaged label Nov 1, 2024

zpavlinovic self-assigned this Nov 1, 2024

gopherbot closed this as completed in 080bdca Nov 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-g233-2p4r-3q7v #3246

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-g233-2p4r-3q7v #3246

GoVulnBot commented Oct 31, 2024

gopherbot commented Nov 1, 2024

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-g233-2p4r-3q7v #3246

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-g233-2p4r-3q7v #3246

Comments

GoVulnBot commented Oct 31, 2024

gopherbot commented Nov 1, 2024