CVE-2023-1296
published 2023-03-14CVE-2023-1296: HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1.
PriorityP423medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.54%
41.3th percentile
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_nomad | >= 1.4.0 < 1.4.6 | 1.4.6 |
| github.com | hashicorp_nomad | >= 1.5.0 < 1.5.1 | 1.5.1 |
| hashicorp | nomad | — | — |
| hashicorp | nomad | >= 1.4.0 < 1.4.6 | 1.4.6 |
| hashicorp | nomad_enterprise | — | — |
| hashicorp | nomad_enterprise | >= 1.4.0 < 1.4.6 | 1.4.6 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
ghsa5.3MEDIUM
osv5.3MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables in github.com/hashicorp/nomad
osv·2024-08-20
CVE-2023-1296 Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables in github.com/hashicorp/nomad
Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables in github.com/hashicorp/nomad
Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables in github.com/hashicorp/nomad
GHSA
Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables
ghsa·2023-07-06·CVSS 5.3
CVE-2023-1296 [MEDIUM] Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables
Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables
A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a deny ACL capability could not be applied to a workload’s own variables. If included, the Nomad ACL system will silently fail to block access. This vulnerability, CVE-2023-1296, was fixed in Nomad 1.4.6 and 1.5.1.
OSV
Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables
osv·2023-07-06·CVSS 5.3
CVE-2023-1296 [MEDIUM] Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables
Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables
A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a deny ACL capability could not be applied to a workload’s own variables. If included, the Nomad ACL system will silently fail to block access. This vulnerability, CVE-2023-1296, was fixed in Nomad 1.4.6 and 1.5.1.
OSV
CVE-2023-1296: HashiCorp Nomad and Nomad Enterprise 1
osv·2023-03-14·CVSS 5.3
CVE-2023-1296 [MEDIUM] CVE-2023-1296: HashiCorp Nomad and Nomad Enterprise 1
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1.
Red Hat
kernel: firmware: dmi-sysfs: Fix null-ptr-deref in dmi_sysfs_register_handle
vendor_redhat·2025-09-15·CVSS 5.5
CVE-2023-53250 [MEDIUM] CWE-476 kernel: firmware: dmi-sysfs: Fix null-ptr-deref in dmi_sysfs_register_handle
kernel: firmware: dmi-sysfs: Fix null-ptr-deref in dmi_sysfs_register_handle
In the Linux kernel, the following vulnerability has been resolved:
firmware: dmi-sysfs: Fix null-ptr-deref in dmi_sysfs_register_handle
KASAN reported a null-ptr-deref error:
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 1373 Comm: modprobe
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
RIP: 0010:dmi_sysfs_entry_release
...
Call Trace:
kobject_put
dmi_sysfs_register_handle (drivers/firmware/dmi-sysfs.c:540) dmi_sysfs
dmi_decode_table (drivers/firmware/dmi_scan.c:133)
dmi_walk (drivers/firmware/dmi_scan.c:1115)
dmi_sysfs_init (drivers/firmware/dmi-sysfs.c:149) dmi_sysfs
do_one_initcall (init/main.c:1296)
...
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x
No detection rules found.
No public exploits indexed.
2023-03-14
Published