CVE-2022-24683 – github.com/hashicorp/nomad

Package

Manager: go
Name: github.com/hashicorp/nomad
Vulnerable Version: >=0.9.2 <1.0.18 || >=1.1.0 <1.1.12 || >=1.2.0 <1.2.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00474 pctl0.63797

Details

Arbitrary file reads in HashiCorp Nomad Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root. There are currently no known workarounds. Users are recommended to upgrade as soon as possible to avoid this issue.

Metadata

Created: 2022-02-18T00:00:34Z
Modified: 2022-03-24T22:47:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-wmrx-57hm-mw7r/GHSA-wmrx-57hm-mw7r.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-wmrx-57hm-mw7r
Finding: F063
Auto approve: 1