Nomad Unauthenticated Client Agent HTTP Request Privilege Escalation

CVE-2023-1782

9.8CRITICAL

Key Information

Vendor: HashiCorp
Status: Nomad; Nomad Enterprise
Vendor: CVE Published:; 5 April 2023

Summary

HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.

Affected Version(s)

Nomad < 1.5.3

Nomad Enterprise < 1.5.3

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Apr 5, 2023
Vulnerability Reserved.
Mar 31, 2023

Collectors

NVD DatabaseMitre Database