CVE-2023-1782: HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation

April 5, 2023 (updated April 6, 2023)

HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.

References

discuss.hashicorp.com/t/hcsec-2023-12-nomad-unauthenticated-client-agent-http-request-privilege-escalation/52375
github.com/advisories/GHSA-f8r8-h93m-mj77
nvd.nist.gov/vuln/detail/CVE-2023-1782

Detect and mitigate CVE-2023-1782 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →