CVE-2023-1299 — Vulnetix

CVE-2023-1299 PUBLISHED CVSS 7.400000095367432 HIGH

HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1.

EPSS 0.12% · 31.0th percentile

Risk Scores

CVSS v3.1

7.400000095367432

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

EPSS Score

0.12%

31.0th percentile

Affected Products

Vendor	Product	Versions
github.com	hashicorp/nomad	1.5.0, 1.5.0
hashicorp	nomad	1.5.0, 1.5.0
HashiCorp	Nomad	1.5.0
HashiCorp	Nomad Enterprise	1.5.0

Timeline

Mar 14, 2023 CVE Published
Mar 15, 2023 EPSS Score
Apr 23, 2023 EPSS Score
May 31, 2023 EPSS Score
Jul 9, 2023 EPSS Score
Aug 16, 2023 EPSS Score
Sep 24, 2023 EPSS Score
Nov 2, 2023 EPSS Score
Dec 10, 2023 EPSS Score
Jan 18, 2024 EPSS Score
Feb 26, 2024 EPSS Score
Apr 4, 2024 EPSS Score

References

https://discuss.hashicorp.com/t/hcsec-2023-08-nomad-job-submitter-privilege-escalation-using-workload-identity/51389 url
https://nvd.nist.gov/vuln/detail/CVE-2023-1299 advisory
https://github.com/hashicorp/nomad package

Open in Interactive Console →