vulndb/data/osv/GO-2024-2670.json

{
  "schema_version": "1.3.1",
  "id": "GO-2024-2670",
  "modified": "0001-01-01T00:00:00Z",
  "published": "0001-01-01T00:00:00Z",
  "aliases": [
    "CVE-2023-3072",
    "GHSA-rpvr-38xv-xvxq"
  ],
  "summary": "ACL security vulnerability in github.com/hashicorp/nomad",
  "details": "An ACL policy using a block without label can be applied to unexpected resources in Nomad, a distributed, highly available scheduler designed for effortless operations and management of applications.",
  "affected": [
    {
      "package": {
        "name": "github.com/hashicorp/nomad",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0.7.0"
            },
            {
              "fixed": "1.4.11"
            },
            {
              "introduced": "1.5.0"
            },
            {
              "fixed": "1.5.6"
            }
          ]
        }
      ],
      "ecosystem_specific": {}
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2023-20-nomad-acl-policies-without-label-are-applied-to-unexpected-resources/56270"
    }
  ],
  "credits": [
    {
      "name": "anonymous4ACL24"
    }
  ],
  "database_specific": {
    "url": "https://pkg.go.dev/vuln/GO-2024-2670",
    "review_status": "REVIEWED"
  }
}
data/reports: add GO-2024-2670.yaml Aliases: CVE-2023-3072, GHSA-rpvr-38xv-xvxq Fixes golang/vulndb#2670 Change-Id: I46b19f27e158e894c212486f1523563d1dce6f8e Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/576556 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Zvonimir Pavlinovic <zpavlinovic@google.com> Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> 2024-04-04 21:14:47 +03:00			`{`
			`"schema_version": "1.3.1",`
			`"id": "GO-2024-2670",`
			`"modified": "0001-01-01T00:00:00Z",`
			`"published": "0001-01-01T00:00:00Z",`
			`"aliases": [`
			`"CVE-2023-3072",`
			`"GHSA-rpvr-38xv-xvxq"`
			`],`
			`"summary": "ACL security vulnerability in github.com/hashicorp/nomad",`
			`"details": "An ACL policy using a block without label can be applied to unexpected resources in Nomad, a distributed, highly available scheduler designed for effortless operations and management of applications.",`
			`"affected": [`
			`{`
			`"package": {`
			`"name": "github.com/hashicorp/nomad",`
			`"ecosystem": "Go"`
			`},`
			`"ranges": [`
			`{`
			`"type": "SEMVER",`
			`"events": [`
			`{`
			`"introduced": "0.7.0"`
			`},`
			`{`
			`"fixed": "1.4.11"`
			`},`
			`{`
			`"introduced": "1.5.0"`
			`},`
			`{`
			`"fixed": "1.5.6"`
			`}`
			`]`
			`}`
			`],`
			`"ecosystem_specific": {}`
			`}`
			`],`
			`"references": [`
			`{`
			`"type": "WEB",`
			`"url": "https://discuss.hashicorp.com/t/hcsec-2023-20-nomad-acl-policies-without-label-are-applied-to-unexpected-resources/56270"`
			`}`
			`],`
			`"credits": [`
			`{`
			`"name": "anonymous4ACL24"`
			`}`
			`],`
			`"database_specific": {`
data: apply REVIEWED status to all existing reports and osv Change-Id: I862c5bb24b9c08c29f0d437fd1be61da0319ef0d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/585517 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> 2024-05-14 22:19:00 +03:00			`"url": "https://pkg.go.dev/vuln/GO-2024-2670",`
			`"review_status": "REVIEWED"`
data/reports: add GO-2024-2670.yaml Aliases: CVE-2023-3072, GHSA-rpvr-38xv-xvxq Fixes golang/vulndb#2670 Change-Id: I46b19f27e158e894c212486f1523563d1dce6f8e Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/576556 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Zvonimir Pavlinovic <zpavlinovic@google.com> Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> 2024-04-04 21:14:47 +03:00			`}`
			`}`