CVE-2023-1782
published 2023-04-05CVE-2023-1782: HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is…
PriorityP353critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.76%
50.6th percentile
HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_nomad | >= 1.5.0 < 1.5.3 | 1.5.3 |
| hashicorp | nomad | >= 1.5.0 < 1.5.3 | 1.5.3 |
| hashicorp | nomad | 1.5.0 – 1.5.2 | — |
| hashicorp | nomad_enterprise | >= 1.5.0 < 1.5.3 | 1.5.3 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation in github.com/hashicorp/nomad
osv·2024-08-20
CVE-2023-1782 HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation in github.com/hashicorp/nomad
HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation in github.com/hashicorp/nomad
HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation in github.com/hashicorp/nomad
OSV
HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation
osv·2023-04-05
CVE-2023-1782 [HIGH] HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation
HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation
HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.
OSV
CVE-2023-1782: HashiCorp Nomad and Nomad Enterprise versions 1
osv·2023-04-05·CVSS 9.8
CVE-2023-1782 [CRITICAL] CVE-2023-1782: HashiCorp Nomad and Nomad Enterprise versions 1
HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.
GHSA
HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation
ghsa·2023-04-05
CVE-2023-1782 [HIGH] CWE-285 HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation
HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation
HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-04-05
Published