Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-1782

HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.

Published

2023-04-05T20:15:07.763

Last Modified

2024-11-21T07:39:53.690

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.9 (CRITICAL)

Weaknesses

Type: Secondary
CWE-862
Type: Primary
CWE-862

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	hashicorp	nomad	≤ 1.5.2	Yes
Application	hashicorp	nomad	≤ 1.5.2	Yes

References

https://discuss.hashicorp.com/t/hcsec-2023-12-nomad-unauthenticated-client-agent-http-request-privilege-escalation/52375 Vendor Advisory ([email protected])
https://discuss.hashicorp.com/t/hcsec-2023-12-nomad-unauthenticated-client-agent-http-request-privilege-escalation/52375 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)