CVE-2020-7956

CRITICAL9.8EPSS 0.24%

Improper Certificate Validation in HashiCorp Nomad

Published: 5/18/2021Modified: 8/21/2024

Also known as:GHSA-cj2h-ww36-v932GO-2022-0821

Description

HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3.

Affected packages (2)

Go/github.com/hashicorp/nomadfrom 0, < 0.10.3
Go/github.com/hashicorp/nomadfrom 0, < 0.10.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://github.com/advisories/GHSA-cj2h-ww36-v932
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-7956
WEBhttps://github.com/hashicorp/nomad/issues/7003
WEBhttps://github.com/hashicorp/nomad/pull/7023
WEBhttps://www.hashicorp.com/blog/category/nomad