CVE-2023-3300

Summary

HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. Fixed in 1.6.0, 1.5.7, and 1.4.1.

Affected Software

VendorProductVersion RangeStatus
HashiCorpNomad0.11.0 <= 1.4.1affected
HashiCorpNomad0.11.0 <= 1.5.6affected
HashiCorpNomad Enterprise0.11.0 <= 1.4.1affected
HashiCorpNomad Enterprise0.11.0 <= 1.5.6affected

Weaknesses

  • CWE-266: CWE-266: Incorrect Privilege Assignment

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References