Filtered by vendor Hashicorp Subscriptions
Filtered by product Nomad Subscriptions
Total 28 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-1329 1 Hashicorp 1 Nomad 2024-11-21 7.7 High
HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. This vulnerability, CVE-2024-1329, is fixed in Nomad 1.7.4, 1.6.7, and 1.5.14.
CVE-2023-3300 1 Hashicorp 1 Nomad 2024-11-21 5.3 Medium
HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. Fixed in 1.6.0, 1.5.7, and 1.4.1.
CVE-2023-3299 1 Hashicorp 1 Nomad 2024-11-21 3.4 Low
HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.
CVE-2023-3072 1 Hashicorp 1 Nomad 2024-11-21 4.1 Medium
HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.
CVE-2023-1782 1 Hashicorp 1 Nomad 2024-11-21 10 Critical
HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.
CVE-2023-1299 1 Hashicorp 1 Nomad 2024-11-21 7.4 High
HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1.
CVE-2023-1296 1 Hashicorp 1 Nomad 2024-11-21 2.7 Low
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1.
CVE-2023-0821 1 Hashicorp 1 Nomad 2024-11-21 6.5 Medium
HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4.
CVE-2022-41606 1 Hashicorp 1 Nomad 2024-11-21 6.5 Medium
HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0.
CVE-2022-3867 1 Hashicorp 1 Nomad 2024-11-21 2.7 Low
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2.
CVE-2022-3866 1 Hashicorp 1 Nomad 2024-11-21 5 Medium
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2.
CVE-2022-30324 1 Hashicorp 1 Nomad 2024-11-21 9.8 Critical
HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were impacted by go-getter vulnerabilities enabling privilege escalation through the artifact stanza in submitted jobs onto the client agent host. Fixed in 1.1.14, 1.2.8, and 1.3.1.
CVE-2022-24686 1 Hashicorp 1 Nomad 2024-11-21 5.9 Medium
HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download functionality has a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. Fixed in 1.0.18, 1.1.12, and 1.2.6
CVE-2022-24685 1 Hashicorp 1 Nomad 2024-11-21 7.5 High
HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6.
CVE-2022-24684 1 Hashicorp 1 Nomad 2024-11-21 6.5 Medium
HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6.
CVE-2022-24683 1 Hashicorp 1 Nomad 2024-11-21 7.5 High
HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root.
CVE-2021-43415 1 Hashicorp 1 Nomad 2024-11-21 8.8 High
HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.
CVE-2021-41865 1 Hashicorp 1 Nomad 2024-11-21 6.5 Medium
HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submission capabilities to cause denial of service by submitting incomplete job specifications with a Consul mesh gateway and host networking mode. Fixed in 1.1.6.
CVE-2021-3283 1 Hashicorp 1 Nomad 2024-11-21 7.5 High
HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same node. Fixed in 0.12.10, and 1.0.3.
CVE-2021-37218 1 Hashicorp 1 Nomad 2024-11-21 8.8 High
HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.0.10 and 1.1.4.