PT-2023-22921 · Hashicorp+1 · Nomad Enterprise+2
Published
2023-07-19
·
Updated
2025-05-26
·
CVE-2023-3072
CVSS v2.0
4.7
Medium
| Vector | AV:N/AC:L/Au:M/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
HashiCorp Nomad and Nomad Enterprise versions 0.7.0 through 1.5.6
HashiCorp Nomad and Nomad Enterprise version 1.4.10
Description
A vulnerability in HashiCorp Nomad and Nomad Enterprise allows an ACL policy using a block without a label to generate unexpected results, potentially applying to unexpected resources. This issue affects the Nomad scheduler, designed for effortless operations and management of applications.
Recommendations
For HashiCorp Nomad and Nomad Enterprise versions 0.7.0 through 1.5.6, update to version 1.5.7 or later to resolve the issue.
For HashiCorp Nomad and Nomad Enterprise version 1.4.10, update to version 1.4.11 to resolve the issue.
As a temporary workaround, consider restricting the use of ACL policies using blocks without labels until a patch is available.
Fix
Missing Authorization
Incorrect Privilege Assignment
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Hashicorp Nomad
Nomad Enterprise
Red Os