CVE-2022-3866: HashiCorp Nomad vulnerable to non-sensitive metadata exposure

November 10, 2022

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2.

References

discuss.hashicorp.com/t/hcsec-2022-25-nomad-s-workload-identity-token-can-list-non-sensitive-metadata-for-nomad-paths/46167
github.com/advisories/GHSA-7wg4-8m5p-hrfg
nvd.nist.gov/vuln/detail/CVE-2022-3866

Code Behaviors & Features

Detect and mitigate CVE-2022-3866 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →