Hashicorp Nomad Enterprise vulnerabilities
18 known vulnerabilities affecting hashicorp/nomad_enterprise.
Total CVEs
18
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH7MEDIUM8LOW2
Vulnerabilities
Page 1 of 1
CVE-2025-4922HIGHCVSS 8.1≥ 1.4.0, < 1.10.22025-06-11
CVE-2025-4922 [HIGH] CWE-266 CVE-2025-4922: Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect
Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.
cvelistv5nvd
CVE-2025-3744HIGHCVSS 7.6fixed in 1.10.12025-05-13
CVE-2025-3744 [HIGH] CWE-266 CVE-2025-3744: Nomad Enterprise (“Nomad”) jobs using the policy override option are bypassing the mandatory sentine
Nomad Enterprise (“Nomad”) jobs using the policy override option are bypassing the mandatory sentinel policies. This vulnerability, identified as CVE-2025-3744, is fixed in Nomad Enterprise 1.10.1, 1.9.9, and 1.8.13.
cvelistv5nvd
CVE-2025-1296MEDIUMCVSS 6.5≥ 1.0.0, < 1.9.72025-03-10
CVE-2025-1296 [MEDIUM] CWE-532 CVE-2025-1296: Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workl
Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19.
cvelistv5nvd
CVE-2025-0937HIGHCVSS 7.1≥ 1.0.0, < 1.9.62025-02-12
CVE-2025-0937 [HIGH] CWE-863 CVE-2025-0937: Nomad Community and Nomad Enterprise ("Nomad") event stream configured with a wildcard namespace can
Nomad Community and Nomad Enterprise ("Nomad") event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other namespaces.
cvelistv5nvd
CVE-2024-12678MEDIUMCVSS 6.5≥ 1.4.0, < 1.9.42024-12-20
CVE-2024-12678 [MEDIUM] CWE-266 CVE-2024-12678: Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation wi
Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.
cvelistv5nvd
CVE-2024-10975HIGHCVSS 7.7≥ 1.3.0, < 1.9.22024-11-07
CVE-2024-10975 [HIGH] CWE-863 CVE-2024-10975: Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross
Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15.
cvelistv5nvd
CVE-2024-7625MEDIUMCVSS 5.8≥ 0.6.1, < 1.8.32024-08-15
CVE-2024-7625 [MEDIUM] CWE-610 CVE-2024-7625: In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpa
In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of allocation directories when multiple archive headers target the same file. This vulnerability, CVE-2024-7625, is fixed in Nomad 1.6.14, 1.7.11, and 1.8.3. Access
cvelistv5nvd
CVE-2024-6717HIGHCVSS 8.6fixed in 1.8.22024-07-23
CVE-2024-6717 [HIGH] CWE-610 CVE-2024-6717: HashiCorp Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1 archive unpacking during migratio
HashiCorp Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1 archive unpacking during migration is vulnerable to path escaping of the allocation directory. This vulnerability, CVE-2024-6717, is fixed in Nomad 1.6.13, 1.7.10, and 1.8.2.
cvelistv5nvd
CVE-2024-1329HIGHCVSS 7.5≤ 1.5.132024-02-08
CVE-2024-1329 [HIGH] CWE-59 CVE-2024-1329: HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable t
HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. This vulnerability, CVE-2024-1329, is fixed in Nomad 1.7.4, 1.6.7, and 1.5.14.
cvelistv5nvd
CVE-2023-3300MEDIUMCVSS 5.3≥ 0.11.0, ≤ 1.4.12023-07-20
CVE-2023-3300 [MEDIUM] CWE-266 CVE-2023-3300: HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names o
HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. Fixed in 1.6.0, 1.5.7, and 1.4.1.
cvelistv5nvd
CVE-2023-3299LOWCVSS 2.7≥ 1.2.11, ≤ 1.4.102023-07-20
CVE-2023-3299 [LOW] CWE-201 CVE-2023-3299: HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label
HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.
cvelistv5nvd
CVE-2023-3072LOWCVSS 3.8≥ 0.7.0, ≤ 1.4.102023-07-20
CVE-2023-3072 [LOW] CWE-266 CVE-2023-3072: HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without
HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.
cvelistv5nvd
CVE-2023-1782CRITICALCVSS 9.8≥ 1.5.0, < 1.5.32023-04-05
CVE-2023-1782 [CRITICAL] CWE-862 CVE-2023-1782: HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypas
HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.
cvelistv5nvd
CVE-2023-1299HIGHCVSS 8.8v1.5.02023-03-14
CVE-2023-1299 [HIGH] CWE-862 CVE-2023-1299: HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level pri
HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1.
cvelistv5nvd
CVE-2023-1296MEDIUMCVSS 5.3v1.5.0≥ 1.4.0, < 1.4.62023-03-14
CVE-2023-1296 [MEDIUM] CWE-682 CVE-2023-1296: HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies appli
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1.
cvelistv5nvd
CVE-2023-0821MEDIUMCVSS 6.5≤ 1.2.152023-02-16
CVE-2023-0821 [MEDIUM] CWE-409 CVE-2023-0821: HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compress
HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4.
cvelistv5nvd
CVE-2022-3867MEDIUMCVSS 4.3v1.4.0v1.4.12022-11-10
CVE-2022-3867 [MEDIUM] CWE-613 CVE-2022-3867: HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with T
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2.
cvelistv5nvd
CVE-2022-3866MEDIUMCVSS 4.3v1.4.0v1.4.12022-11-10
CVE-2022-3866 [MEDIUM] CWE-668 CVE-2022-3866: HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitiv
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2.
cvelistv5nvd