What is CVE-2023-1782?

CVE-2023-1782 is a critical-severity vulnerability in Hashicorp Nomad, classified under Missing Authorization. CVSS score: 10.0/10. Published 2023-04-05.

How severe is CVE-2023-1782?

Critical severity. CVSS v3 base score is 10.0 out of 10.

Auth bypass in Hashicorp Nomad

CVE-2023-1782

HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.

Vulnerability class: Broken Access Control

EPSS: 0.005 (64.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Affected products

Hashicorp Nomad — versions 1.5.0
Hashicorp Nomad Enterprise — versions 1.5.0

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

discuss.hashicorp.com/t/hcsec-2023-12-nomad-unauthenticated-client-agent-http-r…

Frequently asked questions

What is CVE-2023-1782?: CVE-2023-1782 is a critical-severity vulnerability in Hashicorp Nomad, classified under Missing Authorization. CVSS score: 10.0/10. Published 2023-04-05.
How severe is CVE-2023-1782?: Critical severity. CVSS v3 base score is 10.0 out of 10.