6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-0821

GHSA ID

GHSA-w479-w22g-cffh

EPSS Score

0.47639%

CWE

CWE-400

Published

2/17/2023

Updated

3/7/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-0821

CVE-2023-0821: Uncontrolled Resource Consumption in Hashicorp Nomad

HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-0821

GHSA ID

GHSA-w479-w22g-cffh

EPSS Score

0.47639%

CWE

CWE-400

Published

2/17/2023

Updated

3/7/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/hashicorp/nomad	go	>= 1.2.15, < 1.2.16	1.2.16
github.com/hashicorp/nomad	go	>= 1.3.0, < 1.3.9	1.3.9
github.com/hashicorp/nomad	go	>= 1.4.0, < 1.4.4	1.4.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing decompression limits in artifact handling. The key evidence is:

getter.go's getClient function added LimitedDecompressors - proving previous lack of constraints
artifact.go added decompression limit fields to config - showing previous absence of these safety measures
Test changes verify zip/tar.gz/xz decompressors now have limits - indicating they operated without restrictions before These functions directly control artifact decompression configuration and would appear in stack traces during malicious artifact processing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*i*orp Nom** *n* Nom** *nt*rpris* *.*.** up to *.*.*, *n* *.*.* jo*s usin* * m*li*iously *ompr*ss** *rti***t st*nz* sour** **n **us* *x**ssiv* *isk us***. *ix** in *.*.**, *.*.*, *n* *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom missin* ***ompr*ssion limits in *rti***t **n*lin*. T** k*y *vi**n** is: *. **tt*r.*o's **t*li*nt *un*tion ***** Limit*****ompr*ssors - provin* pr*vious l**k o* *onstr*ints *. *rti***t.*o ***** ***ompr*ssion limit *i*l*s t

6.5

Basic Information

Concerned about an active attack path?

CVE-2023-0821: Uncontrolled Resource Consumption in Hashicorp Nomad

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI