cbcvebase.

Github.Com Hashicorp Nomad vulnerabilities

34 known vulnerabilities affecting github.com/hashicorp_nomad.

Total CVEs
34
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH14MEDIUM14LOW3

Vulnerabilities

Page 2 of 2
CVE-2022-24684P4MEDIUMCVSS 6.5≥ 0.9.0, < 1.0.18≥ 1.1.0, < 1.1.12+1 more2022-02-16
CVE-2022-24684 [MEDIUM] CWE-400 Nomad Spread Job Stanza May Trigger Panic in Servers Nomad Spread Job Stanza May Trigger Panic in Servers Nomad and Nomad Enterprise allows operators with job-submit capabilities to use the spread stanza in a way such that it can cause panic in Nomad servers. This vulnerability, CVE-2022-24684, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6.
ghsaosv
CVE-2022-41606P4MEDIUM≥ 0, < 1.2.13≥ 1.3.0, < 1.3.62022-10-12
CVE-2022-41606 [MEDIUM] CWE-20 Nomad Panics On Job Submission With Bad Artifact Stanza Source URL Nomad Panics On Job Submission With Bad Artifact Stanza Source URL HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0.
ghsaosv
CVE-2024-7625P4MEDIUMCVSS 5.8≥ 0.6.1, < 1.6.14≥ 1.7.0, < 1.7.11+1 more2024-08-15
CVE-2024-7625 [MEDIUM] CWE-610 Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of allocation directories when multiple archive headers target the same file.
ghsaosv
CVE-2026-6959P4MEDIUMCVSS 6.0≥ 0, < 1.11.0-rc.1.0.20260512123500-2a09fd62c2382026-05-12
CVE-2026-6959 [MEDIUM] CWE-59 HashiCorp Nomad vulnerable to symlink attack HashiCorp Nomad vulnerable to symlink attack HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
ghsa
CVE-2023-0821P4MEDIUM≥ 1.2.15, < 1.2.16≥ 1.3.0, < 1.3.9+1 more2023-02-17
CVE-2023-0821 [MEDIUM] CWE-400 Uncontrolled Resource Consumption in Hashicorp Nomad Uncontrolled Resource Consumption in Hashicorp Nomad HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4.
ghsaosv
CVE-2023-3300P4MEDIUMCVSS 5.3≥ 0.11.0, < 1.4.11≥ 1.5.0, < 1.5.72023-07-20
CVE-2023-3300 [MEDIUM] CWE-266 Nomad Search API Leaks Information About CSI Plugins Nomad Search API Leaks Information About CSI Plugins A vulnerability was identified in Nomad such that the search HTTP API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. This vulnerability, CVE-2023-3300, affects Nomad since 0.11 and was fixed in 1.6.0, 1.5.7, and 1.4.11.
ghsaosv
CVE-2022-24686P4MEDIUM≥ 0.3.0, < 1.0.18≥ 1.1.0, < 1.1.12+1 more2022-02-15
CVE-2022-24686 [MEDIUM] CWE-362 HashiCorp Nomad Artifact Download Race Condition HashiCorp Nomad Artifact Download Race Condition HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download functionality has a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. This issue is fixed in 1.0.18, 1.1.12, and 1.2.6.
ghsaosv
CVE-2021-32575P4MEDIUM≥ 1.0.0, < 1.0.5≥ 0, < 0.12.122021-06-24
CVE-2021-32575 [MEDIUM] CWE-1100 Improper network isolation in Hashicorp Nomad Improper network isolation in Hashicorp Nomad HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
ghsaosv
CVE-2023-1296P4MEDIUMCVSS 5.3≥ 1.4.0, < 1.4.6≥ 1.5.0, < 1.5.12023-07-06
CVE-2023-1296 [MEDIUM] Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a deny ACL capability could not be applied to a workload’s own variables. If included, the Nomad ACL system will silently fail to block access. This vulnerability, CVE-2023-1296, was fixed in Nomad 1.4.6 and 1.5.1.
ghsaosv
CVE-2019-14802P4MEDIUM≥ 0, < 0.9.52022-02-15
CVE-2019-14802 [MEDIUM] CWE-200 Hashicorp Nomad Information Exposure Through Environmental Variables Hashicorp Nomad Information Exposure Through Environmental Variables In Nomad before version 0.9.5, when rendering a task template, all environment variables were available to the rendering task. As a fix, only task environment variables are used.
ghsaosv
CVE-2022-3866P4MEDIUM≥ 1.4.0, < 1.4.22022-11-10
CVE-2022-3866 [MEDIUM] CWE-668 HashiCorp Nomad vulnerable to non-sensitive metadata exposure HashiCorp Nomad vulnerable to non-sensitive metadata exposure HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under `nomad/` that belong to other jobs in the same namespace. Fixed in 1.4.2.
ghsaosv
CVE-2022-3867P4LOW≥ 1.4.0, < 1.4.22022-11-10
CVE-2022-3867 [LOW] CWE-613 HashiCorp Nomad vulnerable to Insufficient Session Expiration HashiCorp Nomad vulnerable to Insufficient Session Expiration HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2.
ghsaosv
CVE-2023-3072P4LOWCVSS 3.8≥ 0.7.0, < 1.4.11≥ 1.5.0, < 1.5.62023-07-20
CVE-2023-3072 [LOW] CWE-266 Nomad ACL Policies without Label are Applied to Unexpected Resources Nomad ACL Policies without Label are Applied to Unexpected Resources A vulnerability was identified in Nomad, an ACL policy using a block without label may be applied to unexpected resources. This vulnerability, CVE-2023-3072, affects Nomad from 0.7 up to 1.5.6 and 1.4.10 and was fixed in 1.6.0, 1.5.7, and 1.4.11.
ghsaosv
CVE-2023-3299P4LOWCVSS 2.7≥ 1.2.11, < 1.4.11≥ 1.5.0, < 1.5.72023-07-20
CVE-2023-3299 [LOW] CWE-201 Nomad Caller ACL Token’s Secret ID is Exposed to Sentinel Nomad Caller ACL Token’s Secret ID is Exposed to Sentinel A vulnerability was identified in Nomad such that the API caller’s ACL token secret ID is exposed to Sentinel policies. This vulnerability, CVE-2023-3299, affects Nomad from 1.2.11 up to 1.5.6, and 1.4.10 and was fixed in 1.6.0, 1.5.7, and 1.4.11.
ghsaosv
Github.Com Hashicorp Nomad vulnerabilities | cvebase