CVE-2023-3299

Published: Jul 20, 2023Modified: Nov 21, 2024

2.7

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Exploitability: 1.2 / Impact: 1.4

Source: NVD

Description

HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.

Affected (4)

Products: Hashicorp: Nomad

Hashicorp

1 product

Nomad

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Hashicorp Nomad	From 1.2.11 to 1.4.10
Hashicorp Nomad	From 1.5.0 to 1.5.6
Hashicorp Nomad	From 1.2.11 to 1.4.10
Hashicorp Nomad	From 1.5.0 to 1.5.6

Related CWEs

CWE-201

Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

CWE-668

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

References (2)

https://discuss.hashicorp.com/t/hcsec-2023-21-nomad-caller-acl-tokens-secret-id-is-exposed-to-sentinel/56271

Source: security@hashicorp.com

Vendor Advisory

https://discuss.hashicorp.com/t/hcsec-2023-21-nomad-caller-acl-tokens-secret-id-is-exposed-to-sentinel/56271

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.