CVE-2022-3866

Description

HashiCorp Nomad vulnerable to non-sensitive metadata exposure in github.com/hashicorp/nomad

How to fix CVE-2022-3866

To remediate CVE-2022-3866, upgrade the affected package to a fixed version below.

• Go/github.com/hashicorp/nomad—upgrade to 1.4.2 or later
• Go/github.com/hashicorp/nomad—upgrade to 1.4.2 or later

Is CVE-2022-3866 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 1.4.0, < 1.4.2
• >= 1.4.0, < 1.4.2

CVSS scores

References (5)

• ADVISORYgithub.com/advisories/GHSA-7wg4-8m5p-hrfg
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-3866
• PATCHgithub.com/hashicorp/nomad
• WEBdiscuss.hashicorp.com/t/hcsec-2022-25-nomad-s-workload-identity-token-can-list-non-sensitive-metadata-for-nomad-paths/46167