CVE-2023-5954: 
HashiCorp Vault vulnerability analysis and mitigation

HashiCorp Vault and Vault Enterprise are affected by a vulnerability (CVE-2023-5954) where inbound client requests triggering a policy check can lead to an unbounded consumption of memory. The vulnerability was discovered and disclosed on November 9, 2023, affecting Vault versions 1.15.0, 1.14.3, and 1.13.7. The issue has been fixed in Vault versions 1.15.2, 1.14.6, and 1.13.10 (HashiCorp Advisory).

The vulnerability occurs when inbound client requests that trigger a policy check create a logger that is never removed from memory. This results in unbounded memory consumption until out-of-memory processes are triggered by the operating system. The issue's severity has been assessed with a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H by NIST NVD, while HashiCorp assessed it with a score of 5.9 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime) (NVD Database).

The vulnerability's primary impact is the potential for denial-of-service conditions due to memory exhaustion. The memory growth is proportional to the volume of requests, making the system particularly vulnerable to high-traffic scenarios. This excessive memory consumption is noted to be more prevalent in Vault Enterprise deployments (HashiCorp Advisory).

The primary mitigation is to upgrade to the fixed versions: Vault 1.15.2, 1.14.6, 1.13.10, or newer. Organizations should evaluate the risk associated with this issue and follow the general guidance and version-specific upgrade notes provided in the Vault upgrading documentation (HashiCorp Advisory).