Nomad Archives Vulnerability: Write Access Outside Allocation Directory

CVE-2024-7625

5.8MEDIUM

Key Information

Vendor: Hashicorp
Status: Nomad; Nomad Enterprise
Vendor: CVE Published:; 15 August 2024

Summary

In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of allocation directories when multiple archive headers target the same file. This vulnerability, CVE-2024-7625, is fixed in Nomad 1.6.14, 1.7.11, and 1.8.3. Access or compromise of the Nomad client agent at the source allocation first is a prerequisite for leveraging this vulnerability.

Affected Version(s)

Nomad < 1.8.3

Nomad Enterprise < 1.8.3

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Risk change from: null to: 5.8 - (MEDIUM)
Aug 15, 2024
Vulnerability published.
Aug 15, 2024

Collectors

NVD DatabaseMitre Database