CVE-2023-3299

Low

HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in…

HashiCorp·CWE-201·Published 2023-07-19

CVSS

2.7

EPSS

0.00

KEV

Exploits

cve.orgen

165 chars

HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.

NVDen

165 chars

HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.

GHSAen

247 chars

A vulnerability was identified in Nomad such that the API caller’s ACL token secret ID is exposed to Sentinel policies. This vulnerability, CVE-2023-3299, affects Nomad from 1.2.11 up to 1.5.6, and 1.4.10 and was fixed in 1.6.0, 1.5.7, and 1.4.11.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	cve.org	3.4	—	—	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
3.1	Primary	NVD	2.7	1.2	1.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
3.1	Secondary	NVD	3.4	1.7	1.4	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
3.1	Secondary	GHSA	3.4	—	—	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N