Arbitrary Cross-Namespace Volume Creation Vulnerability

CVE-2024-10975

7.7HIGH

Key Information

Vendor: Hashicorp
Status: Nomad; Nomad Enterprise
Vendor: CVE Published:; 7 November 2024

Summary

Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15.

Affected Version(s)

Nomad < 1.9.2

Nomad Enterprise < 1.9.2

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability Reserved.
Nov 7, 2024
Vulnerability published.
Nov 7, 2024

Collectors

NVD DatabaseMitre Database