CVE-2023-1299: Nomad Job Submitter Privilege Escalation Using Workload Identity

March 14, 2023

HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1.

References

discuss.hashicorp.com/t/hcsec-2023-08-nomad-job-submitter-privilege-escalation-using-workload-identity/51389
github.com/advisories/GHSA-rqm8-q8j9-662f
nvd.nist.gov/vuln/detail/CVE-2023-1299

Detect and mitigate CVE-2023-1299 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →