logo

Database

Lack of data validation - Path Traversal In github.com/hashicorp/nomad

Description

HashiCorp Nomad vulnerable to symlink attacks HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. Fixed in Nomad 1.7.4, 1.6.7, 1.5.14.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-13292. NVD-2024-13293. OSV-2024-13294. GCVE-2024-1329

References

1. https://github.com/hashicorp/nomad/issues/198882. https://github.com/hashicorp/nomad/commit/b3209cbc6921e703b0e9984ce70c10b3786658343. https://github.com/hashicorp/nomad/commit/d1721c7a6fc1833778086603f818a822a34f445a4. https://github.com/hashicorp/nomad/commit/de55da677a21ac7572c0f4a8cd9abd5473c47a705. https://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.