Vulnerability Report: GO-2024-2671

Affected Packages

• Path
  Versions
  Symbols
• github.com/hashicorp/nomad/acl
  from v0.11.0 before v1.4.11, from v1.5.0 before v1.5.7
  • ACL.AllowVariableSearch
• github.com/hashicorp/nomad/nomad
  from v0.11.0 before v1.4.11, from v1.5.0 before v1.5.7
  64 affected symbols

  • ACL.GetPolicies
  • ACL.GetPolicy
  • ACL.GetRoleByID
  • ACL.GetRoleByName
  • ACL.GetRolesByID
  • ACL.GetToken
  • ACL.GetTokens
  • ACL.ListPolicies
  • ACL.ListRoles
  • ACL.ListTokens
  • Alloc.GetAlloc
  • Alloc.GetAllocs
  • Alloc.GetServiceRegistrations
  • Alloc.List
  • CSIPlugin.Get
  • CSIPlugin.List
  • CSIVolume.Get
  • CSIVolume.List
  • Deployment.Allocations
  • Deployment.GetDeployment
  • Deployment.List
  • Eval.Allocations
  • Eval.Count
  • Eval.GetEval
  • Eval.List
  • Job.Allocations
  • Job.Deployments
  • Job.Dispatch
  • Job.Evaluations
  • Job.GetJob
  • Job.GetJobVersions
  • Job.GetServiceRegistrations
  • Job.LatestDeployment
  • Job.List
  • Job.Plan
  • Job.ScaleStatus
  • Job.Summary
  • Keyring.Get
  • Keyring.List
  • Namespace.GetNamespace
  • Namespace.GetNamespaces
  • Namespace.ListNamespaces
  • NewServer
  • NewWorker
  • Node.GetAllocs
  • Node.GetClientAllocs
  • Node.GetNode
  • Node.List
  • PeriodicDispatch.SetEnabled
  • Scaling.GetPolicy
  • Scaling.ListPolicies
  • Search.FuzzySearch
  • Search.PrefixSearch
  • Server.Reload
  • Server.RunningChildren
  • Server.SetSchedulerWorkerConfig
  • ServiceRegistration.GetService
  • ServiceRegistration.List
  • TestACLServer
  • TestServer
  • TestServerErr
  • Variables.List
  • Variables.Read
  • Worker.Start

Aliases

• CVE-2023-3300
• GHSA-v5fm-hr72-27hx

References

• https://github.com/hashicorp/nomad/commit/a8789d3872bbf1b1f420f28b0f7ad8532a41d5e3
• https://discuss.hashicorp.com/t/hcsec-2023-22-nomad-search-api-leaks-information-about-csi-plugins/56272
• https://vuln.go.dev/ID/GO-2024-2671.json

Credits

• anonymous4ACL24

Feedback