CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-1299 – Nomad Job Submitter Privilege Escalation Using Workload Identity
https://notcve.org/view.php?id=CVE-2023-1299
14 Mar 2023 — HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1. • https://discuss.hashicorp.com/t/hcsec-2023-08-nomad-job-submitter-privilege-escalation-using-workload-identity/51389 • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-1296 – Nomad ACLs Can Not Deny Access to Workload's Own Variables
https://notcve.org/view.php?id=CVE-2023-1296
14 Mar 2023 — HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1. • https://discuss.hashicorp.com/t/hcsec-2023-09-nomad-acls-can-not-deny-access-to-workloads-own-variables/51390 • CWE-682: Incorrect Calculation CWE-862: Missing Authorization •