CVE-2022-24683
published 2022-02-17CVE-2022-24683: HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.52%
71.3th percentile
HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_nomad | >= 0.9.2 < 1.0.18 | 1.0.18 |
| github.com | hashicorp_nomad | >= 1.1.0 < 1.1.12 | 1.1.12 |
| github.com | hashicorp_nomad | >= 1.2.0 < 1.2.6 | 1.2.6 |
| hashicorp | nomad | >= 0.9.2 < 1.0.18 | 1.0.18 |
| hashicorp | nomad | >= 1.1.0 < 1.1.12 | 1.1.12 |
| hashicorp | nomad | >= 1.2.0 < 1.2.6 | 1.2.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
osv7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Arbitrary file reads in HashiCorp Nomad in github.com/hashicorp/nomad
osv·2024-08-21
CVE-2022-24683 Arbitrary file reads in HashiCorp Nomad in github.com/hashicorp/nomad
Arbitrary file reads in HashiCorp Nomad in github.com/hashicorp/nomad
Arbitrary file reads in HashiCorp Nomad in github.com/hashicorp/nomad
GHSA
Arbitrary file reads in HashiCorp Nomad
ghsa·2022-02-18
CVE-2022-24683 [HIGH] CWE-22 Arbitrary file reads in HashiCorp Nomad
Arbitrary file reads in HashiCorp Nomad
Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root. There are currently no known workarounds. Users are recommended to upgrade as soon as possible to avoid this issue.
OSV
Arbitrary file reads in HashiCorp Nomad
osv·2022-02-18
CVE-2022-24683 [HIGH] Arbitrary file reads in HashiCorp Nomad
Arbitrary file reads in HashiCorp Nomad
Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root. There are currently no known workarounds. Users are recommended to upgrade as soon as possible to avoid this issue.
OSV
CVE-2022-24683: HashiCorp Nomad and Nomad Enterprise 0
osv·2022-02-17·CVSS 7.5
CVE-2022-24683 [HIGH] CVE-2022-24683: HashiCorp Nomad and Nomad Enterprise 0
HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://discuss.hashicorp.comhttps://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/35560https://security.netapp.com/advisory/ntap-20220318-0008/https://discuss.hashicorp.comhttps://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/35560https://security.netapp.com/advisory/ntap-20220318-0008/
2022-02-17
Published