blob: d01e4c4a7514f4cd51cc786da2dd2bbb00c47c64 [file] [log] [blame]
id: GO-2024-2669
modules:
- module: github.com/hashicorp/nomad
versions:
- introduced: 1.2.11
- fixed: 1.4.11
- introduced: 1.5.0
- fixed: 1.5.7
vulnerable_at: 1.5.6
summary: API token secret ID leak to Sentinel in github.com/hashicorp/nomad
description: |-
A vulnerability exists in Nomad where the API caller's ACL token secret
ID is exposed to Sentinel policies.
cves:
- CVE-2023-3299
ghsas:
- GHSA-9jfx-84v9-2rr2
credits:
- anonymous4ACL24
references:
- report: https://github.com/hashicorp/nomad/issues/17907
- web: https://discuss.hashicorp.com/t/hcsec-2023-21-nomad-caller-acl-tokens-secret-id-is-exposed-to-sentinel/56271
review_status: REVIEWED