hashicorp Nomad Enterprise v1.5.0 - 3 CVEs

CVE-2023-1782

HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.

CRITICAL CVSS 10.0 Published Apr 05, 2023

CVE-2023-1299

HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1.

HIGH CVSS 7.4 Published Mar 14, 2023

CVE-2023-1296

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1.

LOW CVSS 2.7 Published Mar 14, 2023

Version 1.5.0

Known Vulnerabilities

CVE-2023-1782

CVE-2023-1299

CVE-2023-1296