CVE-2024-10975 — Incorrect Authorization in Nomad

CWE-863 — Incorrect Authorization6 documents4 sources

Severity

7.7HIGHNVD

EPSS

0.2%

top 62.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Nomad Hashicorp Nomad Enterprise Github.com Hashicorp Nomad

Timeline

PublishedNov 7

Latest updateNov 8

Description

Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages4 packages

▶CVEListV5hashicorp/nomad_enterprise1.3.0 — 1.9.2

▶CVEListV5hashicorp/nomad1.3.0 — 1.9.2

▶NVDhashicorp/nomad1.3.0 — 1.7.15+3

▶Gogithub.com/hashicorp_nomad< 1.9.2+1

🔴Vulnerability Details

OSV

Hashicorp Nomad Incorrect Authorization vulnerability in github.com/hashicorp/nomad↗2024-11-08

▶

OSV

CVE-2024-10975: Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Co↗2024-11-07

▶

CVEList

Nomad Vulnerable To Cross-Namespace Volume Creation Abusing CSI Write Permission↗2024-11-07

▶

GHSA

Hashicorp Nomad Incorrect Authorization vulnerability↗2024-11-07

▶

OSV

Hashicorp Nomad Incorrect Authorization vulnerability↗2024-11-07

▶