Lucene search

GitHub Advisory DatabaseGHSA-9JFX-84V9-2RR2

HistoryJul 20, 2023 - 12:30 a.m.

Nomad Caller ACL Token’s Secret ID is Exposed to Sentinel

2023-07-2000:30:24

CWE-668

GitHub Advisory Database

github.com

nomad

api

vulnerability

cve-2023-3299

acl token

sentinel

security

software

patch

fixed

3.4 Low

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

6.7 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.9%

JSON

A vulnerability was identified in Nomad such that the API caller’s ACL token secret ID is exposed to Sentinel policies. This vulnerability, CVE-2023-3299, affects Nomad from 1.2.11 up to 1.5.6, and 1.4.10 and was fixed in 1.6.0, 1.5.7, and 1.4.11.

Affected configurations

Vulners

Node

hashicorpnomadRange<1.5.7

hashicorpnomadRange<1.4.11

CPENameOperatorVersion
github.com/hashicorp/nomadlt1.5.7
github.com/hashicorp/nomadlt1.4.11

CPE	Name	Operator	Version
	github.com/hashicorp/nomad	lt	1.5.7
	github.com/hashicorp/nomad	lt	1.4.11

References

discuss.hashicorp.com/t/hcsec-2023-21-nomad-caller-acl-tokens-secret-id-is-exposed-to-sentinel/56271

github.com/advisories/GHSA-9jfx-84v9-2rr2

github.com/hashicorp/nomad/issues/17907

nvd.nist.gov/vuln/detail/CVE-2023-3299

pkg.go.dev/vuln/GO-2024-2669

3.4 Low

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

6.7 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.9%

JSON

Related for GHSA-9JFX-84V9-2RR2