CVE-2022-3866

HashiCorp Nomad vulnerable to non-sensitive metadata exposure in go/github.com/hashicorp/nomad

Identifiers

GHSA-7wg4-8m5p-hrfg, CVE-2022-3866

Package Slug

go/github.com/hashicorp/nomad

Vulnerability

HashiCorp Nomad vulnerable to non-sensitive metadata exposure

Description

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2.

Affected Versions

All versions starting from 1.4.0 before 1.4.2

Solution

Upgrade to version 1.4.2 or above.

Last Modified

2022-11-13

source