Lucene search
Veracode Vulnerability DatabaseVERACODE:37982HistoryNov 11, 2022 - 6:46 a.m.
Information Disclosure
2022-11-1106:46:36
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
5
vulnerable
information disclosure
github
hashicorp
nomad
remote attacker
metadata
authenticated
0.001 Low
EPSS
Percentile
22.9%
github.com/hashicorp/nomad is vulnerable to information disclosure. The workload identity token lists non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace, which allows a remote authenticated attacker to access information which may provide context they otherwise might not have.
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/hashicorp/nomad | le | v1.4.1 | |
| github.com/hashicorp/nomad | le | v1.4.1 |
References
discuss.hashicorp.com/t/hcsec-2022-25-nomad-s-workload-identity-token-can-list-non-sensitive-metadata-for-nomad-paths/46167
github.com/hashicorp/nomad/commit/4615278d5897a927f43908dc2da9066692f9bede
github.com/hashicorp/nomad/issues/15012
github.com/hashicorp/nomad/pull/14997
github.com/hashicorp/nomad/releases/tag/v1.4.2
Related
osv
osv
CVE-2022-3866
2022-11-10 06:15:09
HashiCorp Nomad vulnerable to non-sensitive metadata exposure
2022-11-10 12:01:03
github
github
HashiCorp Nomad vulnerable to non-sensitive metadata exposure
2022-11-10 12:01:03
debiancve
debiancve
CVE-2022-3866
2022-11-10 06:15:00
nvd
nvd
CVE-2022-3866
2022-11-10 06:15:09
cve
cve
CVE-2022-3866
2022-11-10 06:15:09
cvelist
cvelist
prion
prion
Denial of service
2022-11-10 06:15:00
ubuntucve
ubuntucve
CVE-2022-3866
2022-11-10 00:00:00