CVE-2024-12678 — Incorrect Privilege Assignment in Nomad

CWE-266 — Incorrect Privilege Assignment7 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 46.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Nomad Hashicorp Nomad Enterprise Github.com Hashicorp Nomad

Timeline

PublishedDec 20

Description

Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5hashicorp/nomad_enterprise1.4.0 — 1.9.4

▶CVEListV5hashicorp/nomad1.4.0 — 1.9.4

▶NVDhashicorp/nomad1.4.0 — 1.7.16+3

▶Gogithub.com/hashicorp_nomad< 1.9.4

🔴Vulnerability Details

CVEList

Nomad Allocations Vulnerable To Privilege Escalation Within A Namespace Using Unredacted Workload Identity Tokens↗2024-12-20

▶

OSV

Hashicorp Nomad Incorrect Privilege Assignment vulnerability in github.com/hashicorp/nomad↗2024-12-20

▶

OSV

Hashicorp Nomad Incorrect Privilege Assignment vulnerability↗2024-12-20

▶

OSV

CVE-2024-12678: Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload ident↗2024-12-20

▶

GHSA

Hashicorp Nomad Incorrect Privilege Assignment vulnerability↗2024-12-20

▶

📋Vendor Advisories

Red Hat

github.com/hashicorp/nomad: Nomad Allocations Vulnerable To Privilege Escalation Within A Namespace Using Unredacted Workload Identity Tokens↗2024-12-20

▶