CVE-2022-3866

2022-11-1006:15:09

CWE-668

[email protected]

web.nvd.nist.gov

cve-2022-3866

hashicorp nomad

nomad enterprise

nvd

security vulnerability

metadata access

5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

4.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.7%

JSON

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2.

Affected configurations

NVD

Node

hashicorpnomadMatch1.4.0

hashicorpnomadMatch1.4.0enterprise

hashicorpnomadMatch1.4.1

hashicorpnomadMatch1.4.1enterprise

CPENameOperatorVersion
hashicorp:nomadhashicorp nomadeq1.4.0
hashicorp:nomadhashicorp nomadeq1.4.1

CPE	Name	Operator	Version
hashicorp:nomad	hashicorp nomad	eq	1.4.0
hashicorp:nomad	hashicorp nomad	eq	1.4.1

CNA Affected

[
  {
    "vendor": "HashiCorp",
    "product": "Nomad",
    "platforms": [
      "64 bit",
      "32 bit",
      "x86",
      "ARM",
      "MacOS",
      "Windows",
      "Linux"
    ],
    "repo": "https://github.com/hashicorp/nomad",
    "versions": [
      {
        "status": "affected",
        "version": "1.4.0"
      },
      {
        "status": "affected",
        "version": "1.4.1"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "HashiCorp",
    "product": "Nomad Enterprise",
    "platforms": [
      "64 bit",
      "32 bit",
      "x86",
      "ARM",
      "MacOS",
      "Windows",
      "Linux"
    ],
    "versions": [
      {
        "status": "affected",
        "version": "1.4.0"
      },
      {
        "status": "affected",
        "version": "1.4.1"
      }
    ],
    "defaultStatus": "unaffected"
  }
]