CVE-2023-1782 CRITICAL

CVE-2023-1782: Nomad Unauthenticated Client Agent HTTP Request Privilege Escalation

Vendor Hashicorp

Product Nomad

Weakness CWE-862 · Missing authorization

Published April 5, 2023

Last update February 10, 2025

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.

Key dates

02Disclosure timeline

April 5, 2023 CVE published

February 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-1782 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2024-37119 WordPress Uncanny Automator Pro plugin < 5.3.0.1 - Unauthenticated License Settings Reset vulnerability CVE-2023-2415 Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 - Missing Authorization to Account Logout CVE-2025-8285 Unauthorized Channel Subscription Creation in Mattermost Confluence Plugin CVE-2024-7046 Improper Access Control in open-webui/open-webui CVE-2026-2559 Post SMTP <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Office 365 OAuth Configuration Overwrite

Identifiers

CVE CVE-2023-1782

CWE CWE-862

CVSS 10.0 / CRITICAL

Affected versions

Vendor Hashicorp

Product Nomad

Affected ≥ 1.5.0 and < 1.5.3

Vendor Hashicorp

Product Nomad Enterprise

Affected ≥ 1.5.0 and < 1.5.3