CVE-2022-3866 is a medium-severity vulnerability affecting HashiCorp Nomad and Nomad Enterprise versions 1.4.0 and 1.4.1. The issue arises from improper access control in the workload identity token functionality, which allows a token to list non-sensitive metadata for paths under the 'nomad/' namespace that belong to other jobs within the same namespace. This vulnerability is classified under CWE-668, indicating an exposure of resources to an incorrect sphere, meaning that information intended to be isolated per job is inadvertently accessible across jobs sharing the same namespace. The vulnerability does not expose sensitive data but allows enumeration of metadata that could aid an attacker in reconnaissance or lateral movement within the environment. The flaw was fixed in version 1.4.2. The CVSS v3.1 base score is 5.0 (medium), with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and scope changed (S:C). The impact is limited to confidentiality (partial information disclosure), with no impact on integrity or availability. Exploitation requires a workload identity token with some privileges, but no user interaction is needed. No known exploits are currently reported in the wild. This vulnerability primarily affects environments using Nomad for workload orchestration where multiple jobs share namespaces and workload identity tokens are in use.

For European organizations leveraging HashiCorp Nomad for workload orchestration, this vulnerability could lead to unauthorized disclosure of non-sensitive metadata across jobs within the same namespace. While the data exposed is not sensitive, it could provide attackers or malicious insiders with valuable information about other jobs, potentially aiding in further attacks such as privilege escalation or lateral movement. Organizations in sectors with strict data privacy and compliance requirements (e.g., finance, healthcare, critical infrastructure) may face increased risk if attackers use this metadata exposure to map internal workloads or infer operational details. The impact is more pronounced in multi-tenant or shared environments where job isolation is critical. Since the vulnerability requires a workload identity token with some privileges, insider threats or compromised tokens pose a higher risk. However, the lack of impact on integrity and availability reduces the likelihood of direct service disruption. Overall, the vulnerability represents a moderate confidentiality risk that could facilitate more sophisticated attacks if combined with other vulnerabilities or misconfigurations.

1. Upgrade affected HashiCorp Nomad installations to version 1.4.2 or later, where the vulnerability is patched. 2. Audit and restrict workload identity token permissions to the minimum necessary scope, avoiding overly permissive tokens that could access multiple jobs' metadata. 3. Implement strict namespace segmentation and consider using separate namespaces for sensitive or critical workloads to reduce cross-job exposure. 4. Monitor and log access to workload identity tokens and metadata endpoints to detect unusual or unauthorized enumeration activities. 5. Employ network segmentation and zero-trust principles to limit token misuse and lateral movement within the environment. 6. Conduct regular security reviews of Nomad configurations and access controls, focusing on token issuance and namespace policies. 7. Educate DevOps and security teams about the risks of metadata exposure and the importance of token hygiene. These steps go beyond generic patching by emphasizing operational controls and monitoring to reduce the attack surface and detect potential exploitation attempts.