logo

Database

Lack of data validation - Path Traversal In github.com/hashicorp/nomad

Description

Arbitrary file reads in HashiCorp Nomad Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root. There are currently no known workarounds. Users are recommended to upgrade as soon as possible to avoid this issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-246832. NVD-2022-246833. OSV-2022-246834. GCVE-2022-24683

References

1. https://github.com/hashicorp/nomad/commit/1aa46c3796e924b72eb45a7f02dae32df0c1179c2. https://github.com/hashicorp/nomad/commit/b3c0e6a7a53d624003698b48b6c59739552c37213. https://github.com/hashicorp/nomad/commit/fcb3a5d016a3dfcc63efcdb567373735a07032794. https://discuss.hashicorp.com5. https://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/355606. https://security.netapp.com/advisory/ntap-20220318-0008

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.