Nomad Unauthenticated Client Agent HTTP Request Privilege Escalation
CVE-2023-1782

10CRITICAL

Key Information:

Vendor: Hashicorp
Status: Nomad; Nomad Enterprise
Vendor: CVE Published:; 5 April 2023

Summary

HashiCorp Nomad and Nomad Enterprise versions 1.5.0 to 1.5.2 are susceptible to a vulnerability that allows unauthenticated users to circumvent Access Control List (ACL) authorizations. This flaw arises in configurations where mutual Transport Layer Security (mTLS) is not enabled, potentially granting unauthorized access to cluster resources. The issue has been addressed in version 1.5.3, and users are advised to upgrade to ensure the security of their deployments.

Affected Version(s)

Nomad 64 bit 1.5.0 < 1.5.3

Nomad Enterprise 64 bit 1.5.0 < 1.5.3

References

https://discuss.hashicorp.com/t/hcsec-2023-12-nomad-unaut...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Apr 5, 2023
Vulnerability Reserved
Mar 31, 2023