Lucene search

HashiCorpCVELIST:CVE-2023-3299

HistoryJul 19, 2023 - 11:35 p.m.

CVE-2023-3299 Nomad Caller ACL Token's Secret ID is Exposed to Sentinel

2023-07-1923:35:12

CWE-668

HashiCorp

www.cve.org

cve-2023-3299

nomad

caller

acl

token

secret id

exposed

sentinel

hashicorp

enterprise

1.2.11

1.5.6

1.4.10

acl policies

label

unexpected

results

fixed

1.6.0

1.5.7

1.4.11

3.4 Low

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

4.2 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.9%

JSON

HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.

CNA Affected

[
  {
    "vendor": "HashiCorp",
    "product": "Nomad Enterprise",
    "platforms": [
      "64 bit",
      "32 bit",
      "x86",
      "ARM",
      "MacOS",
      "Windows",
      "Linux"
    ],
    "versions": [
      {
        "status": "affected",
        "version": "1.2.11",
        "lessThanOrEqual": "1.4.10",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "1.2.11",
        "lessThanOrEqual": "1.5.6",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]