blob: 74965aba9223d15187bbb624bdb3a38b6ec64666 [file] [log] [blame]
id: GO-2024-2671
modules:
- module: github.com/hashicorp/nomad
versions:
- introduced: 0.11.0
fixed: 1.4.11
- introduced: 1.5.0
fixed: 1.5.7
vulnerable_at: 1.4.10
packages:
- package: github.com/hashicorp/nomad/acl
symbols:
- ACL.AllowVariableSearch
- package: github.com/hashicorp/nomad/nomad
symbols:
- sufficientSearchPerms
- filteredSearchContexts
- getEnterpriseFuzzyResourceIter
derived_symbols:
- ACL.GetPolicies
- ACL.GetPolicy
- ACL.GetRoleByID
- ACL.GetRoleByName
- ACL.GetRolesByID
- ACL.GetToken
- ACL.GetTokens
- ACL.ListPolicies
- ACL.ListRoles
- ACL.ListTokens
- Alloc.GetAlloc
- Alloc.GetAllocs
- Alloc.GetServiceRegistrations
- Alloc.List
- CSIPlugin.Get
- CSIPlugin.List
- CSIVolume.Get
- CSIVolume.List
- Deployment.Allocations
- Deployment.GetDeployment
- Deployment.List
- Eval.Allocations
- Eval.Count
- Eval.GetEval
- Eval.List
- Job.Allocations
- Job.Deployments
- Job.Dispatch
- Job.Evaluations
- Job.GetJob
- Job.GetJobVersions
- Job.GetServiceRegistrations
- Job.LatestDeployment
- Job.List
- Job.Plan
- Job.ScaleStatus
- Job.Summary
- Keyring.Get
- Keyring.List
- Namespace.GetNamespace
- Namespace.GetNamespaces
- Namespace.ListNamespaces
- NewServer
- NewWorker
- Node.GetAllocs
- Node.GetClientAllocs
- Node.GetNode
- Node.List
- PeriodicDispatch.SetEnabled
- Scaling.GetPolicy
- Scaling.ListPolicies
- Search.FuzzySearch
- Search.PrefixSearch
- Server.Reload
- Server.RunningChildren
- Server.SetSchedulerWorkerConfig
- ServiceRegistration.GetService
- ServiceRegistration.List
- TestACLServer
- TestServer
- TestServerErr
- Variables.List
- Variables.Read
- Worker.Start
- nomadFSM.Apply
- nomadFSM.Restore
- nomadFSM.RestoreWithFilter
summary: CSI plugin names disclosure in github.com/hashicorp/nomad
description: |-
A vulnerability was identified in Nomad such that the search HTTP API
can reveal names of available CSI plugins to unauthenticated users or
users without the plugin:read policy. This vulnerability affects Nomad
since 0.11.0 and was fixed in 1.4.11 and 1.5.7.
cves:
- CVE-2023-3300
ghsas:
- GHSA-v5fm-hr72-27hx
credits:
- anonymous4ACL24
references:
- fix: https://github.com/hashicorp/nomad/commit/a8789d3872bbf1b1f420f28b0f7ad8532a41d5e3
- web: https://discuss.hashicorp.com/t/hcsec-2023-22-nomad-search-api-leaks-information-about-csi-plugins/56272
review_status: REVIEWED