CVE-2023-1782 — Missing Authorization in Nomad

CWE-862 — Missing Authorization CWE-285 — Improper Authorization6 documents4 sources

Severity

9.8CRITICALNVD

CNA9.9

EPSS

0.3%

top 43.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Nomad Hashicorp Nomad Enterprise Github.com Hashicorp Nomad

Timeline

PublishedApr 5

Latest updateAug 20

Description

HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5hashicorp/nomad_enterprise1.5.0 — 1.5.3

▶CVEListV5hashicorp/nomad1.5.0 — 1.5.3

▶Gogithub.com/hashicorp_nomad1.5.0 — 1.5.3

▶NVDhashicorp/nomad1.5.0 — 1.5.2

🔴Vulnerability Details

OSV

HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation in github.com/hashicorp/nomad↗2024-08-20

▶

CVEList

Nomad Unauthenticated Client Agent HTTP Request Privilege Escalation↗2023-04-05

▶

OSV

HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation↗2023-04-05

▶

OSV

CVE-2023-1782: HashiCorp Nomad and Nomad Enterprise versions 1↗2023-04-05

▶

GHSA

HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation↗2023-04-05

▶