CVE-2021-43415 – github.com/hashicorp/nomad

Package

Manager: go
Name: github.com/hashicorp/nomad
Vulnerable Version: >=0 <1.0.14 || >=1.1.0 <1.1.8 || >=1.2.0 <1.2.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00305 pctl0.53218

Details

Improper Authentication in HashiCorp Nomad HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.

Metadata

Created: 2021-12-10T20:17:55Z
Modified: 2021-12-06T22:11:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-2jhh-5xm2-j4gf/GHSA-2jhh-5xm2-j4gf.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-2jhh-5xm2-j4gf
Finding: F006
Auto approve: 1