CVE-2023-1296
LOWHashiCorp Nomad 1.4.0-1.5.0 - Incorrect Access Control in Variable Deny Policies
Title source: llmDescription
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1.
References (1)
Core 1
Core References
Issue Tracking, Vendor Advisory
https://discuss.hashicorp.com/t/hcsec-2023-09-nomad-acls-can-not-deny-access-to-workloads-own-variables/51390
Scores
CVSS v3
2.7
EPSS
0.0054
EPSS Percentile
40.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-682
CWE-862
Status
published
Products (3)
hashicorp/nomad
1.5.0 (2 CPE variants)
hashicorp/nomad
1.4.0 - 1.4.6 (2 CPE variants)
hashicorp/nomad
1.4.0 - 1.4.6Go
Published
Mar 14, 2023
Tracked Since
Feb 18, 2026