CVE-2023-1782 — Vulnetix

CVE-2023-1782 PUBLISHED CVSS 10 CRITICAL

HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.

EPSS 0.47% · 64.6th percentile

Risk Scores

CVSS v3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

0.47%

64.6th percentile

Affected Products

Vendor	Product	Versions
github.com	hashicorp/nomad	1.5.0
HashiCorp	Nomad	1.5.0
hashicorp	nomad	1.5.0, 1.5.0
HashiCorp	Nomad Enterprise	1.5.0

Timeline

Apr 5, 2023 CVE Published
Apr 6, 2023 CVE Updated
Apr 6, 2023 EPSS Score
May 14, 2023 EPSS Score
Jun 21, 2023 EPSS Score
Jul 29, 2023 EPSS Score
Sep 4, 2023 EPSS Score
Oct 12, 2023 EPSS Score
Nov 19, 2023 EPSS Score
Dec 27, 2023 EPSS Score
Mar 12, 2024 EPSS Score
Apr 19, 2024 EPSS Score

References

https://discuss.hashicorp.com/t/hcsec-2023-12-nomad-unauthenticated-client-agent-http-request-privilege-escalation/52375 url
https://nvd.nist.gov/vuln/detail/CVE-2023-1782 advisory
https://github.com/hashicorp/nomad package

Open in Interactive Console →