CVE-2023-1296 Nomad ACLs Can Not Deny Access to Workload's Own Variables

2023-03-1414:45:24

CWE-682

HashiCorp

www.cve.org

nomad

acls

deny policy

vulnerability

fixed

versions

CVSS3

2.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

25.7%

JSON

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1.

CNA Affected

[
  {
    "vendor": "HashiCorp",
    "product": "Nomad",
    "platforms": [
      "64 bit",
      "32 bit",
      "x86",
      "ARM",
      "MacOS",
      "Windows",
      "Linux"
    ],
    "repo": "https://github.com/hashicorp/nomad",
    "versions": [
      {
        "status": "affected",
        "version": "1.5.0"
      },
      {
        "lessThan": "1.4.6",
        "status": "affected",
        "version": "1.4.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "HashiCorp",
    "product": "Nomad Enterprise",
    "platforms": [
      "64 bit",
      "32 bit",
      "x86",
      "ARM",
      "MacOS",
      "Windows",
      "Linux"
    ],
    "versions": [
      {
        "status": "affected",
        "version": "1.5.0"
      },
      {
        "lessThan": "1.4.6",
        "status": "affected",
        "version": "1.4.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]