GHSA-f8r8-h93m-mj77

Suggest an improvement
Source
https://github.com/advisories/GHSA-f8r8-h93m-mj77
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-f8r8-h93m-mj77/GHSA-f8r8-h93m-mj77.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f8r8-h93m-mj77
Aliases
Published
2023-04-05T21:30:24Z
Modified
2024-08-20T20:58:54.468657Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation
Details

HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.

Database specific 
{
    "nvd_published_at": "2023-04-05T20:15:00Z",
    "github_reviewed_at": "2023-04-06T16:59:26Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-285",
        "CWE-862"
    ]
}
References

Affected packages

Go / github.com/hashicorp/nomad

Package

Name
github.com/hashicorp/nomad
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/nomad

Affected ranges

Type
SEMVER
Events
Introduced
1.5.0
Fixed
1.5.3

Database specific 

{
    "last_known_affected_version_range": "<= 1.5.2"
}