{
  "threat_severity" : "Moderate",
  "public_date" : "2023-11-09T00:00:00Z",
  "bugzilla" : {
    "description" : "vault: inbound client requests can trigger a denial of service",
    "id" : "2249115",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2249115"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-401",
  "details" : [ "HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.", "A flaw was found in The HashiCorp Vault, which may be susceptible to a denial of service due to an unbounded consumption of memory when handling policy requests. This issue may allow an attacker to trigger policy checks by sending multiple inbound client requests that create a logger that is never removed from memory, leading to excessive memory consumption, causing a denial of service condition." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.17",
    "release_date" : "2024-10-01T00:00:00Z",
    "advisory" : "RHSA-2024:3718",
    "cpe" : "cpe:/a:redhat:openshift:4.17::el9",
    "package" : "openshift4/ose-installer-rhel9:v4.17.0-202409122204.p0.gdfd4c08.assembly.stream.el9"
  }, {
    "product_name" : "RHODF-4.15-RHEL-9",
    "release_date" : "2024-03-19T00:00:00Z",
    "advisory" : "RHSA-2024:1383",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.15::el9",
    "package" : "odf4/mcg-rhel9-operator:v4.15.0-39"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/ocs-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/odf-multicluster-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Will not fix",
    "package_name" : "odf4/odf-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/odr-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/rook-ceph-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-5954\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5954\nhttps://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926" ],
  "name" : "CVE-2023-5954",
  "csaw" : false
}