CVE-2023-3299
published 2023-07-20CVE-2023-3299: HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and…
PriorityP410low2.7CVSS 3.1
AVNACLPRHUINSUCLINAN
EPSS
0.49%
38.6th percentile
HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_nomad | >= 1.2.11 < 1.4.11 | 1.4.11 |
| github.com | hashicorp_nomad | >= 1.5.0 < 1.5.7 | 1.5.7 |
| hashicorp | nomad | 1.2.11 – 1.4.10 | — |
| hashicorp | nomad | 1.5.0 – 1.5.6 | — |
| hashicorp | nomad_enterprise | 1.2.11 – 1.4.10 | — |
CVSS provenance
nvdv3.12.7LOWCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
ghsa2.7LOW
osv2.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
API token secret ID leak to Sentinel in github.com/hashicorp/nomad
osv·2024-04-04
CVE-2023-3299 API token secret ID leak to Sentinel in github.com/hashicorp/nomad
API token secret ID leak to Sentinel in github.com/hashicorp/nomad
A vulnerability exists in Nomad where the API caller's ACL token secret ID is exposed to Sentinel policies.
GHSA
Nomad Caller ACL Token’s Secret ID is Exposed to Sentinel
ghsa·2023-07-20·CVSS 2.7
CVE-2023-3299 [LOW] CWE-201 Nomad Caller ACL Token’s Secret ID is Exposed to Sentinel
Nomad Caller ACL Token’s Secret ID is Exposed to Sentinel
A vulnerability was identified in Nomad such that the API caller’s ACL token secret ID is exposed to Sentinel policies. This vulnerability, CVE-2023-3299, affects Nomad from 1.2.11 up to 1.5.6, and 1.4.10 and was fixed in 1.6.0, 1.5.7, and 1.4.11.
OSV
Nomad Caller ACL Token’s Secret ID is Exposed to Sentinel
osv·2023-07-20·CVSS 2.7
CVE-2023-3299 [LOW] Nomad Caller ACL Token’s Secret ID is Exposed to Sentinel
Nomad Caller ACL Token’s Secret ID is Exposed to Sentinel
A vulnerability was identified in Nomad such that the API caller’s ACL token secret ID is exposed to Sentinel policies. This vulnerability, CVE-2023-3299, affects Nomad from 1.2.11 up to 1.5.6, and 1.4.10 and was fixed in 1.6.0, 1.5.7, and 1.4.11.
OSV
CVE-2023-3299: HashiCorp Nomad Enterprise 1
osv·2023-07-20·CVSS 2.7
CVE-2023-3299 [LOW] CVE-2023-3299: HashiCorp Nomad Enterprise 1
HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-07-20
Published