CVE-2022-3866 — Resource Exposure in Hashicorp Nomad

CWE-668 — Resource Exposure6 documents4 sources

Severity

4.3MEDIUMNVD

CNA5.0

EPSS

0.2%

top 52.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Nomad Hashicorp Nomad Hashicorp Nomad Enterprise

Timeline

PublishedNov 10

Latest updateAug 21

Description

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5hashicorp/nomad_enterprise1.4.0, 1.4.1+1

▶Gogithub.com/hashicorp_nomad1.4.0 — 1.4.2

▶CVEListV5hashicorp/nomad1.4.0, 1.4.1+1

▶NVDhashicorp/nomad1.4.0, 1.4.1+1

🔴Vulnerability Details

OSV

HashiCorp Nomad vulnerable to non-sensitive metadata exposure in github.com/hashicorp/nomad↗2024-08-21

▶

CVEList

Nomad Workload Identity Token Can List Non-sensitive Metadata for Paths Under nomad/↗2022-11-10

▶

OSV

HashiCorp Nomad vulnerable to non-sensitive metadata exposure↗2022-11-10

▶

OSV

CVE-2022-3866: HashiCorp Nomad and Nomad Enterprise 1↗2022-11-10

▶

GHSA

HashiCorp Nomad vulnerable to non-sensitive metadata exposure↗2022-11-10

▶