[{"vendor":"hashicorp","product":"vault","defaultStatus":"unaffected","cpes":["cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*"],"versions":[{"version":"1.2.0","lessThan":"1.18.1","versionType":"custom","status":"affected"},{"version":"1.17.8","status":"unaffected"},{"version":"1.16.12","status":"unaffected"}]},{"vendor":"hashicorp","product":"vault","defaultStatus":"unaffected","cpes":["cpe:2.3:a:hashicorp:vault:*:*:*:*:community:*:*:*"],"versions":[{"version":"1.2.0","lessThan":"1.18.1","versionType":"custom","status":"affected"}]}]

{"timestamp":"2024-10-31T16:54:01.728268Z","id":"CVE-2024-8185","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}

[{"vendor":"HashiCorp","product":"Vault","defaultStatus":"unaffected","platforms":["64 bit","32 bit","x86","ARM","MacOS","Windows","Linux"],"repo":"https://github.com/hashicorp/vault","versions":[{"version":"1.2.0","lessThan":"1.18.1","versionType":"semver","status":"affected"}]},{"vendor":"HashiCorp","product":"Vault Enterprise","defaultStatus":"unaffected","platforms":["64 bit","32 bit","x86","ARM","MacOS","Windows","Linux"],"repo":"https://github.com/hashicorp/vault","versions":[{"version":"1.2.0","lessThan":"1.18.1","versionType":"semver","status":"affected","changes":[{"at":"1.17.8","status":"unaffected"},{"at":"1.16.12","status":"unaffected"}]}]}]

OR
          *cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:* versions up to (excluding) 2.0.3

OR
          *cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:* versions from (including) 1.2.0 up to (excluding) 1.18.1
          *cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* versions from (including) 1.17.0 up to (excluding) 1.17.8
          *cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* versions from (including) 1.2.0 up to (excluding) 1.16.12
          *cpe:2.3:a:hashicorp:vault:1.18.0:*:*:*:enterprise:*:*:*

HashiCorp Inc.: https://discuss.hashicorp.com/t/hcsec-2024-26-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-processing-raft-cluster-join-requests/71047 Types: Vendor Advisory

Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself.

This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.

HashiCorp Inc. AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

HashiCorp Inc. CWE-636

HashiCorp Inc. https://discuss.hashicorp.com/t/hcsec-2024-26-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-processing-raft-cluster-join-requests/71047 [No types assigned]