CVE-2023-1299 — Missing Authorization in Hashicorp Nomad

CWE-862 — Missing Authorization6 documents4 sources

Severity

8.8HIGHNVD

CNA7.4

EPSS

0.2%

top 51.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Nomad Hashicorp Nomad Hashicorp Nomad Enterprise

Timeline

PublishedMar 14

Latest updateAug 20

Description

HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5hashicorp/nomad_enterprise1.5.0

▶Gogithub.com/hashicorp_nomad1.5.0 — 1.5.1

▶CVEListV5hashicorp/nomad1.5.0

▶NVDhashicorp/nomad1.5.0

🔴Vulnerability Details

OSV

Nomad Job Submitter Privilege Escalation Using Workload Identity in github.com/hashicorp/nomad↗2024-08-20

▶

OSV

CVE-2023-1299: HashiCorp Nomad and Nomad Enterprise 1↗2023-03-14

▶

CVEList

Nomad Job Submitter Privilege Escalation Using Workload Identity↗2023-03-14

▶

GHSA

Nomad Job Submitter Privilege Escalation Using Workload Identity↗2023-03-14

▶

OSV

Nomad Job Submitter Privilege Escalation Using Workload Identity↗2023-03-14

▶