{"id":"CVE-2024-8185","details":"Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself.\n\nThis vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.","aliases":["BIT-vault-2024-8185","GHSA-g233-2p4r-3q7v","GO-2024-3246"],"modified":"2026-02-23T01:55:24.358871Z","published":"2024-10-31T16:15:06.267Z","related":["CGA-m64p-2x95-p5jf","SUSE-SU-2024:3950-1","openSUSE-SU-2024:0350-1","openSUSE-SU-2024:14452-1"],"references":[{"type":"ADVISORY","url":"https://discuss.hashicorp.com/t/hcsec-2024-26-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-processing-raft-cluster-join-requests/71047"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hashicorp/vault","events":[{"introduced":"33d368eac2d24501209d6874379c8cc4d4736e3d"},{"fixed":"f479e5c85462477c9334564bc8f69531cdb03b65"}]}],"versions":["api/auth/approle/v0.1.0","api/auth/approle/v0.1.1","api/auth/approle/v0.2.0","api/auth/approle/v0.3.0","api/auth/approle/v0.4.0","api/auth/approle/v0.4.1","api/auth/approle/v0.5.0","api/auth/approle/v0.6.0","api/auth/approle/v0.7.0","api/auth/approle/v0.8.0","api/auth/aws/v0.1.0","api/auth/aws/v0.2.0","api/auth/aws/v0.3.0","api/auth/aws/v0.4.0","api/auth/aws/v0.4.1","api/auth/aws/v0.5.0","api/auth/aws/v0.6.0","api/auth/aws/v0.7.0","api/auth/aws/v0.8.0","api/auth/azure/v0.1.0","api/auth/azure/v0.2.0","api/auth/azure/v0.3.0","api/auth/azure/v0.4.0","api/auth/azure/v0.4.1","api/auth/azure/v0.5.0","api/auth/azure/v0.6.0","api/auth/azure/v0.7.0","api/auth/gcp/v0.1.0","api/auth/gcp/v0.2.0","api/auth/gcp/v0.3.0","api/auth/gcp/v0.4.0","api/auth/gcp/v0.4.1","api/auth/gcp/v0.5.0","api/auth/gcp/v0.6.0","api/auth/gcp/v0.7.0","api/auth/gcp/v0.8.0","api/auth/kubernetes/v0.1.0","api/auth/kubernetes/v0.2.0","api/auth/kubernetes/v0.3.0","api/auth/kubernetes/v0.4.0","api/auth/kubernetes/v0.4.1","api/auth/kubernetes/v0.5.0","api/auth/kubernetes/v0.6.0","api/auth/kubernetes/v0.7.0","api/auth/kubernetes/v0.8.0","api/auth/ldap/v0.1.0","api/auth/ldap/v0.2.0","api/auth/ldap/v0.3.0","api/auth/ldap/v0.4.0","api/auth/ldap/v0.4.1","api/auth/ldap/v0.5.0","api/auth/ldap/v0.6.0","api/auth/ldap/v0.7.0","api/auth/ldap/v0.8.0","api/auth/userpass/v0.1.0","api/auth/userpass/v0.2.0","api/auth/userpass/v0.3.0","api/auth/userpass/v0.4.0","api/auth/userpass/v0.4.1","api/auth/userpass/v0.5.0","api/auth/userpass/v0.6.0","api/auth/userpass/v0.7.0","api/auth/userpass/v0.8.0","api/v1.1.1","api/v1.10.0","api/v1.11.0","api/v1.12.0","api/v1.12.1","api/v1.12.2","api/v1.13.0","api/v1.14.0","api/v1.15.0","api/v1.2.0","api/v1.3.1","api/v1.5.0","api/v1.6.0","api/v1.7.0","api/v1.7.1","api/v1.7.2","api/v1.8.0","api/v1.8.1","api/v1.8.2","api/v1.8.3","api/v1.9.0","api/v1.9.1","api/v1.9.2","last-go-modable","main-creation","sdk/v0.10.0","sdk/v0.10.1","sdk/v0.11.0","sdk/v0.11.1","sdk/v0.12.0","sdk/v0.13.0","sdk/v0.14.0","sdk/v0.2.1","sdk/v0.3.0","sdk/v0.4.1","sdk/v0.5.0","sdk/v0.5.1","sdk/v0.5.3","sdk/v0.6.0","sdk/v0.6.1","sdk/v0.6.2","sdk/v0.7.0","sdk/v0.8.0","sdk/v0.9.0","sdk/v0.9.1","sdk/v0.9.2","v1.18.0","v1.18.0-rc1","v1.2.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-8185.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}