Fluid Attacks Database

Description

Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a deny ACL capability could not be applied to a workload’s own variables. If included, the Nomad ACL system will silently fail to block access. This vulnerability, CVE-2023-1296, was fixed in Nomad 1.4.6 and 1.5.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/hashicorp/nomad	>=1.4.0 <1.4.6 \|\| =1.5.0 \|\| >=1.5.0 <1.5.1	1.4.6, 1.5.1

Aliases

1. CVE-2023-12962. NVD-2023-12963. OSV-2023-12964. GCVE-2023-1296

References

1. https://discuss.hashicorp.com/t/hcsec-2023-09-nomad-acls-can-not-deny-access-to-workloads-own-variables/51390

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.