| { |
| "schema_version": "1.3.1", |
| "id": "GO-2024-2671", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2023-3300", |
| "GHSA-v5fm-hr72-27hx" |
| ], |
| "summary": "CSI plugin names disclosure in github.com/hashicorp/nomad", |
| "details": "A vulnerability was identified in Nomad such that the search HTTP API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. This vulnerability affects Nomad since 0.11.0 and was fixed in 1.4.11 and 1.5.7.", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/hashicorp/nomad", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0.11.0" |
| }, |
| { |
| "fixed": "1.4.11" |
| }, |
| { |
| "introduced": "1.5.0" |
| }, |
| { |
| "fixed": "1.5.7" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/hashicorp/nomad/acl", |
| "symbols": [ |
| "ACL.AllowVariableSearch" |
| ] |
| }, |
| { |
| "path": "github.com/hashicorp/nomad/nomad", |
| "symbols": [ |
| "ACL.GetPolicies", |
| "ACL.GetPolicy", |
| "ACL.GetRoleByID", |
| "ACL.GetRoleByName", |
| "ACL.GetRolesByID", |
| "ACL.GetToken", |
| "ACL.GetTokens", |
| "ACL.ListPolicies", |
| "ACL.ListRoles", |
| "ACL.ListTokens", |
| "Alloc.GetAlloc", |
| "Alloc.GetAllocs", |
| "Alloc.GetServiceRegistrations", |
| "Alloc.List", |
| "CSIPlugin.Get", |
| "CSIPlugin.List", |
| "CSIVolume.Get", |
| "CSIVolume.List", |
| "Deployment.Allocations", |
| "Deployment.GetDeployment", |
| "Deployment.List", |
| "Eval.Allocations", |
| "Eval.Count", |
| "Eval.GetEval", |
| "Eval.List", |
| "Job.Allocations", |
| "Job.Deployments", |
| "Job.Dispatch", |
| "Job.Evaluations", |
| "Job.GetJob", |
| "Job.GetJobVersions", |
| "Job.GetServiceRegistrations", |
| "Job.LatestDeployment", |
| "Job.List", |
| "Job.Plan", |
| "Job.ScaleStatus", |
| "Job.Summary", |
| "Keyring.Get", |
| "Keyring.List", |
| "Namespace.GetNamespace", |
| "Namespace.GetNamespaces", |
| "Namespace.ListNamespaces", |
| "NewServer", |
| "NewWorker", |
| "Node.GetAllocs", |
| "Node.GetClientAllocs", |
| "Node.GetNode", |
| "Node.List", |
| "PeriodicDispatch.SetEnabled", |
| "Scaling.GetPolicy", |
| "Scaling.ListPolicies", |
| "Search.FuzzySearch", |
| "Search.PrefixSearch", |
| "Server.Reload", |
| "Server.RunningChildren", |
| "Server.SetSchedulerWorkerConfig", |
| "ServiceRegistration.GetService", |
| "ServiceRegistration.List", |
| "TestACLServer", |
| "TestServer", |
| "TestServerErr", |
| "Variables.List", |
| "Variables.Read", |
| "Worker.Start", |
| "filteredSearchContexts", |
| "getEnterpriseFuzzyResourceIter", |
| "nomadFSM.Apply", |
| "nomadFSM.Restore", |
| "nomadFSM.RestoreWithFilter", |
| "sufficientSearchPerms" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "FIX", |
| "url": "https://github.com/hashicorp/nomad/commit/a8789d3872bbf1b1f420f28b0f7ad8532a41d5e3" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://discuss.hashicorp.com/t/hcsec-2023-22-nomad-search-api-leaks-information-about-csi-plugins/56272" |
| } |
| ], |
| "credits": [ |
| { |
| "name": "anonymous4ACL24" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2024-2671", |
| "review_status": "REVIEWED" |
| } |
| } |
