CVE-2024-1329 – github.com/hashicorp/nomad

Package

Manager: go
Name: github.com/hashicorp/nomad
Vulnerable Version: =1.5.13 || >=1.5.13 <1.5.14 || >=1.6.0 <1.6.7 || =1.7.3 || >=1.7.3 <1.7.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00286 pctl0.51652

Details

HashiCorp Nomad vulnerable to symlink attacks HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. Fixed in Nomad 1.7.4, 1.6.7, 1.5.14.

Metadata

Created: 2024-02-08T21:30:38Z
Modified: 2024-09-26T21:10:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-c866-8gpw-p3mv/GHSA-c866-8gpw-p3mv.json
CWE IDs: ["CWE-59", "CWE-610"]
Alternative ID: GHSA-c866-8gpw-p3mv
Finding: F063
Auto approve: 1