HashiCorp Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1 archive unpacking during migration is vulnerable to path escaping of the allocation directory. This vulnerability, CVE-2024-6717, is fixed in Nomad 1.6.13, 1.7.10, and 1.8.2.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/6xxx/CVE-2024-6717.json",
"cna_assigner": "HashiCorp",
"cwe_ids": [
"CWE-610"
]
}{
"source": [
"CPE_RANGE",
"CPE_STRING"
],
"cpe": [
"cpe:2.3:a:hashicorp:nomad:*:*:*:*:-:*:*:*",
"cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:hashicorp:nomad:1.6.12:*:*:*:-:*:*:*",
"cpe:2.3:a:hashicorp:nomad:1.6.12:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:hashicorp:nomad:1.8.1:*:*:*:-:*:*:*",
"cpe:2.3:a:hashicorp:nomad:1.8.1:*:*:*:enterprise:*:*:*"
],
"extracted_events": [
{
"introduced": "1.7.0"
},
{
"fixed": "1.7.10"
},
{
"introduced": "1.6.12"
},
{
"last_affected": "1.6.12"
},
{
"introduced": "1.8.1"
},
{
"last_affected": "1.8.1"
}
]
}