Nomad Client User Arbitrary File Write Vulnerability

CVE-2024-1329

7.5HIGH

Key Information

Vendor: Hashicorp
Status: Nomad; Nomad Enterprise
Vendor: CVE Published:; 8 February 2024

Summary

HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. This vulnerability, CVE-2024-1329, is fixed in Nomad 1.7.4, 1.6.7, and 1.5.14.

Affected Version(s)

Nomad <= 1.5.13

Nomad <= 1.6.6

Nomad <= 1.7.3

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: 7.5 to: 7.7 - (HIGH)
Jul 17, 2024
Vulnerability published.
Feb 8, 2024
Vulnerability Reserved.
Feb 7, 2024

Collectors

NVD DatabaseMitre Database