Vulnerabilities > CVE-2023-1296 - Missing Authorization vulnerability in Hashicorp Nomad

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

hashicorp

CWE-862

NVD

Published: 2023-03-14

Updated: 2023-11-07

Summary

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1.

Vulnerable Configurations

Part	Description	Count
Application	Hashicorp Hashicorp Nomad 1.5.0 Hashicorp Nomad 1.4.0 Hashicorp Nomad 1.4.4 Hashicorp Nomad 1.4.1 Hashicorp Nomad 1.4.2	8

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://discuss.hashicorp.com/t/hcsec-2023-09-nomad-acls-can-not-deny-access-to-workloads-own-variables/51390