x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-c3q9-q986-vrwh #3510

GoVulnBot · 2025-03-10T23:01:11Z

Advisory GHSA-c3q9-q986-vrwh references a vulnerability in the following Go modules:

Module
github.com/hashicorp/nomad

Description:
Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19.

References:

Cross references:

github.com/hashicorp/nomad appears in 29 other report(s):
- data/reports/GO-2022-0560.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-6jm6-cmcp-fqjq #560)
- data/reports/GO-2022-0573.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-2jhh-5xm2-j4gf #573)
- data/reports/GO-2022-0577.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-3382-r9q8-4hfg #577)
- data/reports/GO-2022-0584.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-wmrx-57hm-mw7r #584)
- data/reports/GO-2022-0591.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-c8x3-rg72-fwwg #591)
- data/reports/GO-2022-0600.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-gwmc-6795-qghj #600)
- data/reports/GO-2022-0622.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-35qp-xq9f-2rjx #622)
- data/reports/GO-2022-0634.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad/client/allocrunner/taskrunner/template: GHSA-6hv3-7c34-4hx8 #634)
- data/reports/GO-2022-0709.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-vf6q-9f2f-mwhv #709)
- data/reports/GO-2022-0732.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-526x-rm7j-v389 #732)
- data/reports/GO-2022-0770.yaml (x/vulndb: potential Go vuln in github.com/binance-chain/tss-lib/ecdsa/keygen: GHSA-5x92-p4p5-33c4 #770 #770)
- data/reports/GO-2022-0806.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad/client/allocrunner/taskrunner/template: GHSA-77cr-6gr8-7rr9 #806)
- data/reports/GO-2022-0821.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-cj2h-ww36-v932 #821)
- data/reports/GO-2022-0840.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad/command/agent: GHSA-h43v-26r7-7j4c #840)
- data/reports/GO-2022-1062.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-7v3g-4878-5qrf #1062)
- data/reports/GO-2022-1105.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-7wg4-8m5p-hrfg #1105)
- data/reports/GO-2022-1106.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-9fmc-5fq4-5jwh #1106)
- data/reports/GO-2023-1581.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-w479-w22g-cffh #1581)
- data/reports/GO-2023-1633.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-rqm8-q8j9-662f #1633)
- data/reports/GO-2023-1707.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-f8r8-h93m-mj77 #1707)
- data/reports/GO-2023-1899.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-hhvx-8755-4cvw #1899)
- data/reports/GO-2023-1928.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-2w2v-xcr9-mj4m #1928)
- data/reports/GO-2024-2538.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-c866-8gpw-p3mv #2538)
- data/reports/GO-2024-2669.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-9jfx-84v9-2rr2 #2669)
- data/reports/GO-2024-2670.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-rpvr-38xv-xvxq #2670)
- data/reports/GO-2024-2671.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-v5fm-hr72-27hx #2671)
- data/reports/GO-2024-3073.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-25qx-vfw2-fw8r #3073)
- data/reports/GO-2024-3262.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-2w5v-x29g-jw7j #3262)
- data/reports/GO-2024-3354.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-hr68-hvgv-xxqf #3354)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp/nomad
      vulnerable_at: 1.9.6
summary: |-
    Nomad is vulnerable to unintentional exposure of the workload identity token and
    client secret token in audit logs in github.com/hashicorp/nomad
cves:
    - CVE-2025-1296
ghsas:
    - GHSA-c3q9-q986-vrwh
references:
    - advisory: https://github.com/advisories/GHSA-c3q9-q986-vrwh
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-1296
    - fix: https://github.com/hashicorp/nomad/commit/dc482bf9058faf7a192486eb52caa1d42646f6
9967
b3
    - web: https://discuss.hashicorp.com/t/hcsec-2025-04-nomad-exposes-sensitive-workload-identity-and-client-secret-token-in-audit-logs/73737
source:
    id: GHSA-c3q9-q986-vrwh
    created: 2025-03-10T23:01:11.488246275Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2025-03-12T17:48:30Z

Change https://go.dev/cl/657255 mentions this issue: data/reports: add 7 reports

GoVulnBot added the NeedsTriage label Mar 10, 2025

thatnealpatel added triaged and removed NeedsTriage labels Mar 12, 2025

thatnealpatel self-assigned this Mar 12, 2025

gopherbot closed this as completed in 061fd45 Mar 13, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-c3q9-q986-vrwh #3510

x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-c3q9-q986-vrwh #3510

x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-c3q9-q986-vrwh #3510

x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-c3q9-q986-vrwh #3510

Comments