Unauthenticated Access to CSI Plugin Names in HashiCorp Nomad

Unauthenticated Access to CSI Plugin Names in HashiCorp Nomad

CVE-2023-3300 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. Fixed in 1.6.0, 1.5.7, and 1.4.1.

Learn more about our Api Penetration Testing.