CVE-2023-1296 — Incorrect Calculation in Nomad

CWE-682 — Incorrect Calculation CWE-862 — Missing Authorization CWE-476 — NULL Pointer Dereference7 documents5 sources

Severity

5.3MEDIUMNVD

CNA2.7

EPSS

0.2%

top 61.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Nomad Hashicorp Nomad Enterprise Github.com Hashicorp Nomad

Timeline

PublishedMar 14

Latest updateSep 15

Description

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5hashicorp/nomad_enterprise1.4.0 — 1.4.6+1

▶CVEListV5hashicorp/nomad1.4.0 — 1.4.6+1

▶NVDhashicorp/nomad1.4.0 — 1.4.6+1

▶Gogithub.com/hashicorp_nomad1.4.0 — 1.4.6+1

🔴Vulnerability Details

OSV

Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables in github.com/hashicorp/nomad↗2024-08-20

▶

GHSA

Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables↗2023-07-06

▶

OSV

Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables↗2023-07-06

▶

OSV

CVE-2023-1296: HashiCorp Nomad and Nomad Enterprise 1↗2023-03-14

▶

CVEList

Nomad ACLs Can Not Deny Access to Workload's Own Variables↗2023-03-14

▶

📋Vendor Advisories

Red Hat

kernel: firmware: dmi-sysfs: Fix null-ptr-deref in dmi_sysfs_register_handle↗2025-09-15

▶