CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-1782 – Nomad Unauthenticated Client Agent HTTP Request Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-1782
05 Apr 2023 — HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3. • https://discuss.hashicorp.com/t/hcsec-2023-12-nomad-unauthenticated-client-agent-http-request-privilege-escalation/52375 • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-1299 – Nomad Job Submitter Privilege Escalation Using Workload Identity
https://notcve.org/view.php?id=CVE-2023-1299
14 Mar 2023 — HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1. • https://discuss.hashicorp.com/t/hcsec-2023-08-nomad-job-submitter-privilege-escalation-using-workload-identity/51389 • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-1296 – Nomad ACLs Can Not Deny Access to Workload's Own Variables
https://notcve.org/view.php?id=CVE-2023-1296
14 Mar 2023 — HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1. • https://discuss.hashicorp.com/t/hcsec-2023-09-nomad-acls-can-not-deny-access-to-workloads-own-variables/51390 • CWE-682: Incorrect Calculation CWE-862: Missing Authorization •