PT-2022-24509 · Hashicorp · Nomad+1

Published

2022-11-10

Updated

2024-08-21

CVE-2022-3866

CVSS v3.1

5.0

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions HashiCorp Nomad and Nomad Enterprise versions 1.4.0 through 1.4.1

Description The issue allows a workload identity token to list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace.

Recommendations For versions 1.4.0 through 1.4.1, update to version 1.4.2 to resolve the issue.

Fix

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-668

Related Identifiers

CVE-2022-3866

GHSA-7WG4-8M5P-HRFG

GO-2022-1105

Affected Products

Nomad

Nomad Enterprise

PT-2022-24509 · Hashicorp · Nomad+1

CVE-2022-3866

Weakness Enumeration

Related Identifiers

Affected Products

References · 13