{
  "schema_version": "1.3.1",
  "id": "GO-2024-2670",
  "modified": "0001-01-01T00:00:00Z",
  "published": "0001-01-01T00:00:00Z",
  "aliases": [
    "CVE-2023-3072",
    "GHSA-rpvr-38xv-xvxq"
  ],
  "summary": "ACL security vulnerability in github.com/hashicorp/nomad",
  "details": "An ACL policy using a block without label can be applied to unexpected resources in Nomad, a distributed, highly available scheduler designed for effortless operations and management of applications.",
  "affected": [
    {
      "package": {
        "name": "github.com/hashicorp/nomad",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0.7.0"
            },
            {
              "fixed": "1.4.11"
            },
            {
              "introduced": "1.5.0"
            },
            {
              "fixed": "1.5.6"
            }
          ]
        }
      ],
      "ecosystem_specific": {}
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2023-20-nomad-acl-policies-without-label-are-applied-to-unexpected-resources/56270"
    }
  ],
  "credits": [
    {
      "name": "anonymous4ACL24"
    }
  ],
  "database_specific": {
    "url": "https://pkg.go.dev/vuln/GO-2024-2670",
    "review_status": "REVIEWED"
  }
}