CVE-2023-3300: 
Nomad vulnerability analysis and mitigation

CVE-2023-3300 affects HashiCorp Nomad and Nomad Enterprise versions 0.11.0 up to 1.5.6 and 1.4.1. The vulnerability was discovered by the Nomad engineering team and disclosed on July 19, 2023. The issue allows the HTTP search API to reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy (HashiCorp Advisory).

The vulnerability stems from a bypass of intended ACL restrictions on the search API endpoint, which specifically exposed the names of CSI plugins configured in the cluster. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-862 (Missing Authorization) and CWE-266 (Incorrect Privilege Assignment) (NVD).

The vulnerability allows unauthorized access to CSI plugin information, potentially exposing sensitive configuration details about the cluster to unauthenticated users or users who lack the appropriate plugin:read policy permissions (HashiCorp Advisory).

The vulnerability has been fixed in Nomad versions 1.6.0, 1.5.7, and 1.4.11. HashiCorp recommends that administrators evaluate the risk and upgrade to these or newer versions. Additionally, administrators should ensure mTLS is configured for HTTP and RPC endpoints as part of Nomad's security model (HashiCorp Advisory).