Lucene search

HashiCorpCVELIST:CVE-2023-3299

HistoryJul 19, 2023 - 11:35 p.m.

CVE-2023-3299 Nomad Caller ACL Token's Secret ID is Exposed to Sentinel

2023-07-1923:35:12

CWE-201

HashiCorp

www.cve.org

cve-2023-3299

nomad

caller

acl

token

secret id

exposed

sentinel

hashicorp

enterprise

1.2.11

1.5.6

1.4.10

acl policies

label

unexpected

results

fixed

1.6.0

1.5.7

1.4.11

CVSS3

3.4

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

AI Score

4.2

Confidence

High

EPSS

0.001

Percentile

21.5%

JSON

HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "64 bit",
      "32 bit",
      "x86",
      "ARM",
      "MacOS",
      "Windows",
      "Linux"
    ],
    "product": "Nomad Enterprise",
    "vendor": "HashiCorp",
    "versions": [
      {
        "lessThanOrEqual": "1.4.10",
        "status": "affected",
        "version": "1.2.11",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "1.5.6",
        "status": "affected",
        "version": "1.2.11",
        "versionType": "semver"
      }
    ]
  }
]