Описание
Nomad Community and Nomad Enterprise ("Nomad") event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other namespaces.
A flaw was discovered in Hashicorp Nomad. In affected versions of this package, the vulnerability is exploitable when reading from the event stream endpoint with a wildcard namespace, which can be used to bypass the ACL policy checks that would not otherwise permit access to a given namespace due to a discrepancy in how ACL wildcards are validated.
Отчет
HashiCorp Nomad is a third party dependency in Red Hat Distributed Tracing. The affected codebase of HashiCorp Nomad is not shipped in Red Hat Distributed Tracing.
Меры по смягчению последствий
No mitigation is available for this issue other than updating the affected package to the version containing the fix.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift distributed tracing 3 | rhosdt/opentelemetry-collector-rhel8 | Not affected | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/opentelemetry-operator-bundle | Not affected | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/opentelemetry-rhel8-operator | Not affected | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/opentelemetry-target-allocator-rhel8 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.1 High
CVSS3
Связанные уязвимости
Nomad Community and Nomad Enterprise ("Nomad") event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other namespaces.
Nomad Community and Nomad Enterprise ("Nomad") event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other namespaces.
Nomad Community and Nomad Enterprise ("Nomad") event stream configured ...
Nomad Community and Nomad Enterprise ("Nomad") event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other namespaces.
EPSS
7.1 High
CVSS3