CVE-2023-1782: Nomad Unauthenticated Client Agent HTTP Request Privilege Escalation
First published: Wed Apr 05 2023(Updated: )
HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.
Credit: security@hashicorp.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| HashiCorp Nomad | >=1.5.0<=1.5.2 | |
| HashiCorp Nomad | >=1.5.0<=1.5.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-1782.
What is the severity of CVE-2023-1782?
The severity of CVE-2023-1782 is critical with a severity value of 9.8.
Which versions of HashiCorp Nomad and Nomad Enterprise are affected?
Versions 1.5.0 up to 1.5.2 of HashiCorp Nomad and Nomad Enterprise are affected.
How can unauthenticated users bypass ACL authorizations in affected versions of HashiCorp Nomad and Nomad Enterprise?
Unauthenticated users can bypass intended ACL authorizations for clusters where mTLS is not enabled.
How can I fix CVE-2023-1782?
Update to version 1.5.3 of HashiCorp Nomad or Nomad Enterprise to fix the vulnerability.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/author
- agent/references
- agent/title
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- vendor/hashicorp
- canonical/hashicorp nomad
- version/hashicorp nomad/1.5.0
- version/hashicorp nomad/1.5.2