Vulnerability in HashiCorp Nomad Affects Job Submission with Invalid URLs
CVE-2022-41606

6.5MEDIUM

Key Information:

Vendor: Hashicorp
Status: Nomad
Vendor: CVE Published:; 12 October 2022

Summary

HashiCorp Nomad and Nomad Enterprise versions 1.0.2 through 1.2.12 and 1.3.5 are affected by a vulnerability that allows attackers to exploit invalid S3 or GCS URLs in artifact stanzas when job submissions are made. This flaw can lead to crashes of client agents, impacting the stability and reliability of the Nomad deployment. The vulnerability has been addressed in subsequent versions 1.2.13, 1.3.6, and 1.4.0, which users are encouraged to upgrade to in order to mitigate this issue.

References

https://discuss.hashicorp.com

https://discuss.hashicorp.com/t/hcsec-2022-22-nomad-panic...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 12, 2022
Vulnerability Reserved
Sep 27, 2022