HCSEC-2023-33

**Bulletin ID:** HCSEC-2023-33 **Affected Products / Versions:** Vault and Vault Enterprise since 1.15.0, 1.14.3, 1.13.7, fixed in 1.15.2, 1.14.6, 1.13.10. **Publication Date:** November 9, 2023 **Summary** Vault and Vault Enterprise (“Vault”) inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. **Background** [Policies](https://developer.hashicorp.com/vault/docs/concepts/policies) provide a declarative way to define what can and cannot be accessed in Vault, and are used to authorize inbound client requests as described in Vault’s [architecture documentation](https://developer.hashicorp.com/vault/docs/internals/architecture). **Details** An excessive memory consumption issue was introduced in Vault 1.15.0, 1.14.3, and 1.13.7 where inbound client requests triggering a policy check create a logger that is never removed from memory. The side effect of this issue is an unbounded consumption of memory until out-of-memory processes are triggered by the operating system. Since the issue occurs on requests the memory growth is proportional to the volume of requests, and may result in denial-of-service. Operators may have experienced increased memory usage after upgrading Vault to one of the affected versions above. This excessive memory consumption is more prevalent in Vault Enterprise. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading to Vault 1.15.2, 1.14.6, 1.13.10, or newer. Please refer to [Upgrading Vault](https://learn.hashicorp.com/tutorials/vault/sop-upgrade?in=vault/standard-procedures) for general guidance and version-specific upgrade notes. **Acknowledgement** This issue was identified by the Vault engineering team. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*