CVE-2024-6717 — Externally Controlled Reference to a Resource in Another Sphere in Nomad

CWE-610 — Externally Controlled Reference to a Resource in Another Sphere6 documents4 sources

Severity

8.6HIGHNVD

CNA7.7

EPSS

0.3%

top 47.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Nomad Hashicorp Nomad Enterprise Github.com Hashicorp Nomad

Timeline

PublishedJul 23

Latest updateJan 12

Description

HashiCorp Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1 archive unpacking during migration is vulnerable to path escaping of the allocation directory. This vulnerability, CVE-2024-6717, is fixed in Nomad 1.6.13, 1.7.10, and 1.8.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages4 packages

▶CVEListV5hashicorp/nomad_enterprise< 1.8.2

▶CVEListV5hashicorp/nomad< 1.8.2

▶NVDhashicorp/nomad1.7.0 — 1.7.10+2

▶Gogithub.com/hashicorp_nomad< 1.11.1+1

🔴Vulnerability Details

OSV

HashiCorp Nomad is vulnerable to path escape through archive unpacking during migration in github.com/hashicorp/nomad↗2026-01-12

▶

OSV

HashiCorp Nomad is vulnerable to path escape through archive unpacking during migration↗2024-07-23

▶

GHSA

HashiCorp Nomad is vulnerable to path escape through archive unpacking during migration↗2024-07-23

▶

CVEList

Nomad Vulnerable to Allocation Directory Path Escape Through Archive Unpacking↗2024-07-23

▶

OSV

CVE-2024-6717: HashiCorp Nomad and Nomad Enterprise 1↗2024-07-23

▶