Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 920177 (CVE-2023-6337, HCSEC-2023-34) - <app-admin/vault-1.14.8: denial of service via large HTTP requests
Summary: <app-admin/vault-1.14.8: denial of service via large HTTP requests
Alias: CVE-2023-6337, HCSEC-2023-34
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [stable?]
Depends on: CVE-2023-3462, CVE-2023-4680, CVE-2023-5077
  Show dependency tree
Reported: 2023-12-16 23:38 UTC by John Helmert III
Modified: 2023-12-18 07:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-12-16 23:38:30 UTC

HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash.

Fixed in Vault 1.15.4, 1.14.8, 1.13.12.

Please bump (and ideally stabilize for bug 9184120 too).
Comment 1 Larry the Git Cow gentoo-dev 2023-12-18 04:46:18 UTC
The bug has been referenced in the following commit(s):

commit f1ee3a0737d807e5704a5f5455118bfe48af1f87
Author:     Zac Medico <>
AuthorDate: 2023-12-18 04:45:10 +0000
Commit:     Zac Medico <>
CommitDate: 2023-12-18 04:46:14 +0000

    app-admin/vault: add 1.14.8
    Signed-off-by: Zac Medico <>

 app-admin/vault/Manifest            |  2 +
 app-admin/vault/vault-1.14.8.ebuild | 86 +++++++++++++++++++++++++++++++++++++
 2 files changed, 88 insertions(+)