CVE-2023-1296: 
Nomad vulnerability analysis and mitigation

A vulnerability was identified in HashiCorp's Nomad and Nomad Enterprise products (CVE-2023-1296) affecting versions 1.4.0 up to 1.5.0. The vulnerability relates to the Access Control List (ACL) system where deny ACL capabilities could not be properly applied to a workload's own variables, resulting in the system silently failing to block access (HashiCorp Discussion).

The vulnerability was introduced with Nomad 1.4.0's variables feature and workload identity functionality, which was designed to allow tasks to access their own variables without requiring a Nomad ACL token. The specific issue manifests when attempting to implement deny capabilities in ACL policies, where the system fails to enforce the intended access restrictions on variables (HashiCorp Discussion).

The vulnerability compromises the effectiveness of ACL policies by failing to properly enforce deny capabilities on variable access. This could potentially lead to unauthorized access to variables within the Nomad environment, bypassing intended security controls (HashiCorp Discussion).

HashiCorp has addressed this vulnerability in Nomad versions 1.4.6 and 1.5.1. Users are recommended to evaluate the associated risks and upgrade to these patched versions or newer releases. The company provides general upgrade guidance in their Nomad's Upgrading documentation (HashiCorp Discussion).