1.4.1

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

hashicorp

CWE-613

NVD

Published: 2022-11-10

Updated: 2022-11-15

Summary

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2.

Vulnerable Configurations

Part	Description	Count
Application	Hashicorp Hashicorp Nomad 1.4.0 Hashicorp Nomad 1.4.1	4

Common Weakness Enumeration (CWE)

CWE-613 - Insufficient Session Expiration

References

https://discuss.hashicorp.com/t/hcsec-2022-26-nomad-s-event-stream-subscriber-using-acl-token-with-ttl-receive-updates-until-garbage-collected/46168