Hashicorp Nomad vulnerabilities
38 known vulnerabilities affecting hashicorp/nomad.
Total CVEs
38
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH14MEDIUM17LOW2
Vulnerabilities
Page 2 of 2
CVE-2024-12678P3MEDIUMCVSS 6.5≥ 1.4.0, < 1.7.16≥ 1.4.0, < 1.9.4+2 more2024-12-20
CVE-2024-12678 [MEDIUM] CWE-266 CVE-2024-12678: Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation wi
Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.
nvd
CVE-2025-1296P3MEDIUMCVSS 6.5≥ 1.0.0, < 1.7.19≥ 1.0.0, < 1.9.7+2 more2025-03-10
CVE-2025-1296 [MEDIUM] CWE-532 CVE-2025-1296: Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workl
Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19.
nvd
CVE-2022-24684P4MEDIUMCVSS 6.5≥ 0.9.0, < 1.0.18≥ 1.1.0, < 1.1.12+1 more2022-02-15
CVE-2022-24684 [MEDIUM] CVE-2022-24684: HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with jo
HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6.
nvd
CVE-2022-41606P4MEDIUMCVSS 6.5≥ 1.0.2, < 1.2.13≥ 1.3.0, < 1.3.62022-10-12
CVE-2022-41606 [MEDIUM] CWE-20 CVE-2022-41606: HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact s
HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0.
nvd
CVE-2023-0821P4MEDIUMCVSS 6.5fixed in 1.2.15≥ 1.3.0, < 1.3.9+2 more2023-02-16
CVE-2023-0821 [MEDIUM] CWE-409 CVE-2023-0821: HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compress
HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4.
nvd
CVE-2022-24686P4MEDIUMCVSS 5.9≥ 0.3.0, < 1.0.18≥ 1.1.0, < 1.1.12+1 more2022-02-14
CVE-2022-24686 [MEDIUM] CWE-362 CVE-2022-24686: HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download funct
HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download functionality has a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. Fixed in 1.0.18, 1.1.12, and 1.2.6
nvd
CVE-2024-7625P4MEDIUMCVSS 5.8≥ 0.6.1, < 1.6.14≥ 1.7.0, < 1.7.11+3 more2024-08-15
CVE-2024-7625 [MEDIUM] CWE-610 CVE-2024-7625: In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpa
In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of allocation directories when multiple archive headers target the same file. This vulnerability, CVE-2024-7625, is fixed in Nomad 1.6.14, 1.7.11, and 1.8.3. Access
nvd
CVE-2021-41865P4MEDIUMCVSS 6.5≥ 1.1.1, < 1.1.62021-10-07
CVE-2021-41865 [MEDIUM] CVE-2021-41865: HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submis
HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submission capabilities to cause denial of service by submitting incomplete job specifications with a Consul mesh gateway and host networking mode. Fixed in 1.1.6.
nvd
CVE-2026-6959P4MEDIUMCVSS 6.0≥ 0.9.0, < 2.0.12026-05-12
CVE-2026-6959 [MEDIUM] CWE-59 CVE-2026-6959: HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write
HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
nvd
CVE-2023-3300P4MEDIUMCVSS 5.3≥ 0.11.0, ≤ 1.4.1≥ 1.5.0, ≤ 1.5.62023-07-20
CVE-2023-3300 [MEDIUM] CWE-266 CVE-2023-3300: HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names o
HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. Fixed in 1.6.0, 1.5.7, and 1.4.1.
nvd
CVE-2021-32575P4MEDIUMCVSS 6.5≤ 1.0.42021-06-17
CVE-2021-32575 [MEDIUM] CVE-2021-32575: HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
nvd
CVE-2019-14802P4MEDIUMCVSS 5.3≥ 0.5.0, < 0.9.52022-12-26
CVE-2019-14802 [MEDIUM] CWE-200 CVE-2019-14802: HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the
HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. This applies to nomad/client/allocrunner/taskrunner/template.
nvd
CVE-2020-10944P4MEDIUMCVSS 5.4≥ 0.3, < 0.10.52020-04-28
CVE-2020-10944 [MEDIUM] CWE-79 CVE-2020-10944: HashiCorp Nomad and Nomad Enterprise up to 0.10.4 contained a cross-site scripting vulnerability suc
HashiCorp Nomad and Nomad Enterprise up to 0.10.4 contained a cross-site scripting vulnerability such that files from a malicious workload could cause arbitrary JavaScript to execute in the web UI. Fixed in 0.10.5.
nvd
CVE-2023-1296P4MEDIUMCVSS 5.3≥ 1.4.0, < 1.4.6v1.5.02023-03-14
CVE-2023-1296 [MEDIUM] CWE-682 CVE-2023-1296: HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies appli
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1.
nvd
CVE-2022-3866P4MEDIUMCVSS 4.3v1.4.0v1.4.12022-11-10
CVE-2022-3866 [MEDIUM] CWE-668 CVE-2022-3866: HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitiv
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2.
nvd
CVE-2022-3867P4MEDIUMCVSS 4.3v1.4.0v1.4.12022-11-10
CVE-2022-3867 [MEDIUM] CWE-613 CVE-2022-3867: HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with T
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2.
nvd
CVE-2023-3072P4LOWCVSS 3.8≥ 0.7.0, ≤ 1.4.10≥ 1.5.0, ≤ 1.5.62023-07-20
CVE-2023-3072 [LOW] CWE-266 CVE-2023-3072: HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without
HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.
nvd
CVE-2023-3299P4LOWCVSS 2.7≥ 1.2.11, ≤ 1.4.10≥ 1.5.0, ≤ 1.5.62023-07-20
CVE-2023-3299 [LOW] CWE-201 CVE-2023-3299: HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label
HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.
nvd
← Previous2 / 2