{"id":"CVE-2023-3299","details":"HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.","aliases":["GHSA-9jfx-84v9-2rr2","GO-2024-2669"],"modified":"2026-04-10T04:58:08.216307Z","published":"2023-07-20T00:15:10.447Z","references":[{"type":"ADVISORY","url":"https://discuss.hashicorp.com/t/hcsec-2023-21-nomad-caller-acl-tokens-secret-id-is-exposed-to-sentinel/56271"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hashicorp/nomad","events":[{"introduced":"aa3b15dd21d85a3fea93802b1d8f72a8fdb87019"},{"last_affected":"b94618f18655b06673525823c272a3663d8c35c6"},{"introduced":"aa3b15dd21d85a3fea93802b1d8f72a8fdb87019"},{"last_affected":"b94618f18655b06673525823c272a3663d8c35c6"},{"introduced":"fc40c491cacec3d8ec3f2f98cd82b9068a50797c"},{"last_affected":"8af70885c02ab921dedbdf6bc406a1e886866f80"},{"introduced":"fc40c491cacec3d8ec3f2f98cd82b9068a50797c"},{"last_affected":"8af70885c02ab921dedbdf6bc406a1e886866f80"}],"database_specific":{"versions":[{"introduced":"1.2.11"},{"last_affected":"1.4.10"},{"introduced":"1.2.11"},{"last_affected":"1.4.10"},{"introduced":"1.5.0"},{"last_affected":"1.5.6"},{"introduced":"1.5.0"},{"last_affected":"1.5.6"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-3299.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"}]}