{"id":"CVE-2023-3299","summary":"Nomad Caller ACL Token's Secret ID is Exposed to Sentinel","details":"HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.","aliases":["GHSA-9jfx-84v9-2rr2","GO-2024-2669"],"modified":"2026-05-18T05:56:36.911071177Z","published":"2023-07-19T23:35:12.990Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"introduced":"1.2.11"},{"last_affected":"1.4.10"},{"introduced":"1.2.11"},{"last_affected":"1.5.6"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"HashiCorp","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/3xxx/CVE-2023-3299.json","cwe_ids":["CWE-201"]},"references":[{"type":"WEB","url":"https://discuss.hashicorp.com/t/hcsec-2023-21-nomad-caller-acl-tokens-secret-id-is-exposed-to-sentinel/56271"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/3xxx/CVE-2023-3299.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-3299"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hashicorp/nomad","events":[{"introduced":"aa3b15dd21d85a3fea93802b1d8f72a8fdb87019"},{"last_affected":"b94618f18655b06673525823c272a3663d8c35c6"},{"introduced":"fc40c491cacec3d8ec3f2f98cd82b9068a50797c"},{"last_affected":"8af70885c02ab921dedbdf6bc406a1e886866f80"}],"database_specific":{"extracted_events":[{"introduced":"1.2.11"},{"last_affected":"1.4.10"},{"introduced":"1.5.0"},{"last_affected":"1.5.6"}],"cpe":["cpe:2.3:a:hashicorp:nomad:*:*:*:*:-:*:*:*","cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*"],"source":"CPE_FIELD"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-3299.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"}]}