Nomad Search API Leaks Information About CSI Plugins
Moderate severity
GitHub Reviewed
Published
Jul 20, 2023
to the GitHub Advisory Database
•
Updated Sep 26, 2024
Package
Affected versions
>= 0.11.0, < 1.4.11
>= 1.5.0, < 1.5.7
Patched versions
1.4.11
1.5.7
Description
Published by the National Vulnerability Database
Jul 20, 2023
Published to the GitHub Advisory Database
Jul 20, 2023
Reviewed
Apr 1, 2024
Last updated
Sep 26, 2024
A vulnerability was identified in Nomad such that the search HTTP API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. This vulnerability, CVE-2023-3300, affects Nomad since 0.11 and was fixed in 1.6.0, 1.5.7, and 1.4.11.
References