x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-rqm8-q8j9-662f

[GoVulnBot]

In GitHub Security Advisory GHSA-rqm8-q8j9-662f, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/hashicorp/nomad	1.5.1	= 1.5.0

Cross references:

• Module github.com/hashicorp/nomad appears in issue #560 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/nomad appears in issue #573 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/nomad appears in issue #577 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/nomad appears in issue #584 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/nomad appears in issue #591 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/nomad appears in issue #600 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/nomad appears in issue #622 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/nomad appears in issue #634 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/nomad appears in issue #709 NOT_IMPORTABLE
• Module github.com/hashicorp/nomad appears in issue #732 NOT_IMPORTABLE
• Module github.com/hashicorp/nomad appears in issue #806 NOT_IMPORTABLE
• Module github.com/hashicorp/nomad appears in issue #821 NOT_IMPORTABLE
• Module github.com/hashicorp/nomad appears in issue #840 NOT_IMPORTABLE
• Module github.com/hashicorp/nomad appears in issue #1062 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/nomad appears in issue #1105 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/nomad appears in issue #1106 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/nomad appears in issue #1581 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/hashicorp/nomad
    versions:
      - introduced: TODO (earliest fixed "1.5.1", vuln range "= 1.5.0")
    packages:
      - package: github.com/hashicorp/nomad
summary: Nomad Job Submitter Privilege Escalation Using Workload Identity
description: |-
    ### Summary
    A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a user with the submit-job ACL capability can submit a job that can escalate to management-level privileges. This vulnerability, CVE-2023-1299, was introduced in Nomad 1.5.0 and fixed in Nomad 1.5.1.

    ### Background
    Nomad 1.4.0 introduced the concept of workload identity so that tasks can access variables without needing to access them through Nomad HTTP API with an ACL token.

    In 1.5.0, the identity block was introduced, which exposes the workload identity token to the workload so it can access Nomad HTTP API via a unix domain socket without configuring mTLS.

    ### Details
    During internal testing, we discovered it was possible to abuse the workload identity to elevate to management-level privilege if the workload identity did not have any attached ACL policies.

    ### Remediation
    Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.5.1 or newer. See Nomad’s Upgrading for general guidance on this process.
cves:
  - CVE-2023-1299
ghsas:
  - GHSA-rqm8-q8j9-662f
references:
  - web: https://nvd.nist.gov/vuln/detail/CVE-2023-1299
  - web: https://discuss.hashicorp.com/t/hcsec-2023-08-nomad-job-submitter-privilege-escalation-using-workload-identity/51389
  - advisory: https://github.com/advisories/GHSA-rqm8-q8j9-662f

[gopherbot]

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports

[gopherbot]

Change https://go.dev/cl/606783 mentions this issue: data/reports: unexclude 20 reports (3)