CVE-2020-7956 — Improper Certificate Validation in Hashicorp Nomad

CWE-295 — Improper Certificate Validation6 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.2%

top 52.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Nomad Hashicorp Nomad

Timeline

PublishedJan 31

Latest updateAug 21

Description

HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDhashicorp/nomad< 0.10.3

▶Gogithub.com/hashicorp_nomad< 0.10.3

🔴Vulnerability Details

OSV

Improper Certificate Validation in HashiCorp Nomad in github.com/hashicorp/nomad↗2024-08-21

▶

OSV

Improper Certificate Validation in HashiCorp Nomad↗2021-05-18

▶

GHSA

Improper Certificate Validation in HashiCorp Nomad↗2021-05-18

▶

CVEList

CVE-2020-7956: HashiCorp Nomad and Nomad Enterprise up to 0↗2020-01-31

▶

OSV

CVE-2020-7956: HashiCorp Nomad and Nomad Enterprise up to 0↗2020-01-31

▶