GHSA-wmrx-57hm-mw7r

Source

https://github.com/advisories/GHSA-wmrx-57hm-mw7r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-wmrx-57hm-mw7r/GHSA-wmrx-57hm-mw7r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wmrx-57hm-mw7r

Aliases

Published

2022-02-18T00:00:34Z

Modified

2024-08-21T15:26:38.658288Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Arbitrary file reads in HashiCorp Nomad

Details

Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root. There are currently no known workarounds. Users are recommended to upgrade as soon as possible to avoid this issue.

Database specific

{
    "nvd_published_at": "2022-02-17T17:15:00Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-01T21:36:15Z"
}

References

Affected packages

Go / github.com/hashicorp/nomad

Package

Name: github.com/hashicorp/nomad; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/nomad

Affected ranges

Type: SEMVER
Events: Introduced

0.9.2

Fixed

1.0.18

Go / github.com/hashicorp/nomad

Package

Name: github.com/hashicorp/nomad; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/nomad

Affected ranges

Type: SEMVER
Events: Introduced

1.1.0

Fixed

1.1.12

Go / github.com/hashicorp/nomad

Package

Name: github.com/hashicorp/nomad; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/nomad

Affected ranges

Type: SEMVER
Events: Introduced

1.2.0

Fixed

1.2.6