CVE-2023-3299

CVSS v3.1

3.4

Low

Vector

AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions HashiCorp Nomad Enterprise versions 1.2.11 through 1.5.6 HashiCorp Nomad Enterprise version 1.4.10

Description A vulnerability exists where the API caller's ACL token secret ID is exposed to Sentinel policies. Additionally, ACL policies using a block without a label generate unexpected results.

Recommendations For HashiCorp Nomad Enterprise versions 1.2.11 through 1.5.6, update to version 1.5.7 or later. For HashiCorp Nomad Enterprise version 1.4.10, update to version 1.4.11 or later. For HashiCorp Nomad Enterprise versions prior to 1.6.0, update to version 1.6.0 or later. As a temporary workaround, consider restricting access to Sentinel policies to minimize the risk of exploitation.

Fix

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-201CWE-668

Related Identifiers

BDU:2025-06176

CVE-2023-3299

GHSA-9JFX-84V9-2RR2

GO-2024-2669

Affected Products

Hashicorp Nomad Enterprise

Red Os

CVE-2023-3299

Weakness Enumeration

Related Identifiers

Affected Products

References · 15