CVE-2024-1329 — Link Following in Hashicorp Nomad

CWE-59 — Link Following CWE-610 — Externally Controlled Reference to a Resource in Another Sphere6 documents4 sources

Severity

7.5HIGHNVD

CNA7.7

EPSS

0.3%

top 43.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Nomad Hashicorp Nomad Hashicorp Nomad Enterprise

Timeline

PublishedFeb 8

Latest updateMar 4

Description

HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. This vulnerability, CVE-2024-1329, is fixed in Nomad 1.7.4, 1.6.7, and 1.5.14.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5hashicorp/nomad_enterprise1.5.13+2

▶NVDhashicorp/nomad1.5.13 — 1.5.14+2

▶Gogithub.com/hashicorp_nomad1.5.13 — 1.5.14+2

▶CVEListV5hashicorp/nomad1.5.13+2

🔴Vulnerability Details

OSV

Symlink attack in github.com/hashicorp/nomad↗2024-03-04

▶

OSV

CVE-2024-1329: HashiCorp Nomad and Nomad Enterprise 1↗2024-02-08

▶

GHSA

HashiCorp Nomad vulnerable to symlink attacks↗2024-02-08

▶

OSV

HashiCorp Nomad vulnerable to symlink attacks↗2024-02-08

▶

CVEList

Nomad Vulnerable to Arbitrary Write Through Symlink Attack↗2024-02-08

▶