Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.
History

Sat, 21 Dec 2024 02:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 20 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 20 Dec 2024 02:00:00 +0000

Type Values Removed Values Added
Description Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.
Title Nomad Allocations Vulnerable To Privilege Escalation Within A Namespace Using Unredacted Workload Identity Tokens
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published: 2024-12-20T01:49:40.583Z

Updated: 2024-12-20T17:08:12.684Z

Reserved: 2024-12-16T16:20:12.439Z

Link: CVE-2024-12678

cve-icon Vulnrichment

Updated: 2024-12-20T17:08:07.133Z

cve-icon NVD

Status : Received

Published: 2024-12-20T02:15:05.500

Modified: 2024-12-20T02:15:05.500

Link: CVE-2024-12678

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-12-20T01:49:40Z

Links: CVE-2024-12678 - Bugzilla