Nomad Archives Vulnerability: Write Access Outside Allocation Directory
CVE-2024-7625

5.8MEDIUM

Key Information:

Vendor
Hashicorp
Status
Nomad
Nomad Enterprise
Vendor
CVE Published:
15 August 2024

Summary

In HashiCorp Nomad and Nomad Enterprise versions from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, an issue exists within the archive unpacking process that permits unauthorized writes to locations outside of allocated directories during the migration of those directories. This occurs when multiple archive headers point to the same target file, potentially leading to significant security risks. Access to the Nomad client agent at the source allocation is required to exploit this vulnerability, which emphasizes the need for secure handling of client agent access.

Affected Version(s)

Nomad 64 bit 0.6.1 < 1.8.3

Nomad Enterprise 64 bit 0.6.1 < 1.8.3

References

https://discuss.hashicorp.com/t/hcsec-2024-17-nomad-vulne...

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

Collectors

NVD DatabaseMitre Database
.