Path Bypass Vulnerability in HashiCorp Nomad with QEMU Task Driver
CVE-2021-43415

8.8HIGH

Key Information:

Vendor: Hashicorp
Status: Nomad
Vendor: CVE Published:; 3 December 2021

Summary

A vulnerability exists in HashiCorp Nomad and Nomad Enterprise when the QEMU task driver is enabled. Authenticated users with job submission rights could exploit this weakness to bypass the pre-configured allowed image paths, allowing potentially unsafe operations to proceed without proper path verification. This issue was addressed in versions 1.0.14, 1.1.8, and 1.2.1, which enhance security by enforcing stricter controls on image path allowances.

References

https://www.hashicorp.com/blog/category/nomad

x_refsource_MISC

https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 3, 2021
Vulnerability Reserved
Nov 8, 2021