CVE-2021-43415 — Improper Authentication in Hashicorp Nomad

CWE-287 — Improper Authentication7 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.3%

top 46.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Nomad Hashicorp Nomad

Timeline

PublishedDec 3

Latest updateAug 21

Description

HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDhashicorp/nomad1.0.0 — 1.0.14+2

▶Gogithub.com/hashicorp_nomad1.1.0 — 1.1.8+2

🔴Vulnerability Details

OSV

Improper Authentication in HashiCorp Nomad in github.com/hashicorp/nomad↗2024-08-21

▶

GHSA

Improper Authentication in HashiCorp Nomad↗2021-12-10

▶

OSV

Improper Authentication in HashiCorp Nomad↗2021-12-10

▶

CVEList

CVE-2021-43415: HashiCorp Nomad and Nomad Enterprise up to 1↗2021-12-03

▶

OSV

CVE-2021-43415: HashiCorp Nomad and Nomad Enterprise up to 1↗2021-12-03

▶

📋Vendor Advisories

Red Hat

nomad: QEMU task driver allowed paths bypass with job args↗2021-11-21

▶