CVE-2023-3299 — Sensitive Info Insertion into Sent Data in Hashicorp Nomad

CWE-201 — Sensitive Info Insertion into Sent Data CWE-668 — Resource Exposure6 documents4 sources

Severity

2.7LOWNVD

CNA3.4

EPSS

0.3%

top 45.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Nomad Hashicorp Nomad Enterprise Hashicorp Nomad

Timeline

PublishedJul 20

Latest updateApr 4

Description

HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5hashicorp/nomad_enterprise1.2.11 — 1.4.10+1

▶Gogithub.com/hashicorp_nomad1.2.11 — 1.4.11+1

▶NVDhashicorp/nomad1.2.11 — 1.4.10+1

🔴Vulnerability Details

OSV

API token secret ID leak to Sentinel in github.com/hashicorp/nomad↗2024-04-04

▶

GHSA

Nomad Caller ACL Token’s Secret ID is Exposed to Sentinel↗2023-07-20

▶

OSV

Nomad Caller ACL Token’s Secret ID is Exposed to Sentinel↗2023-07-20

▶

OSV

CVE-2023-3299: HashiCorp Nomad Enterprise 1↗2023-07-20

▶

CVEList

Nomad Caller ACL Token's Secret ID is Exposed to Sentinel↗2023-07-19

▶