CVE Vulnerabilities

CVE-2025-3744

Incorrect Privilege Assignment

Published: May 13, 2025 | Modified: May 15, 2025
CVSS 3.x
7.6
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

Nomad Enterprise (“Nomad”) jobs using the policy override option are bypassing the mandatory sentinel policies. This vulnerability, identified as CVE-2025-3744, is fixed in Nomad Enterprise 1.10.1, 1.9.9, and 1.8.13.

Weakness

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Affected Software

Name Vendor Start Version End Version
Nomad Hashicorp * 1.8.13 (excluding)
Nomad Hashicorp 1.9.0 (including) 1.9.9 (excluding)
Nomad Hashicorp 1.10.0 (including) 1.10.0 (including)
Nomad Hashicorp 1.10.0-beta1 (including) 1.10.0-beta1 (including)
Nomad Hashicorp 1.10.0-rc1 (including) 1.10.0-rc1 (including)

Potential Mitigations

References