CVE-2023-1296: Missing Authorization

July 6, 2023

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 does not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1.

References

discuss.hashicorp.com/t/hcsec-2023-09-nomad-acls-can-not-deny-access-to-workloads-own-variables/51390
github.com/advisories/GHSA-hhvx-8755-4cvw
nvd.nist.gov/vuln/detail/CVE-2023-1296

Detect and mitigate CVE-2023-1296 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →