GHSA-wmrx-57hm-mw7r

Suggest an improvement
Source
https://github.com/advisories/GHSA-wmrx-57hm-mw7r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-wmrx-57hm-mw7r/GHSA-wmrx-57hm-mw7r.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wmrx-57hm-mw7r
Aliases
Published
2022-02-18T00:00:34Z
Modified
2023-11-08T04:08:32.534808Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Arbitrary file reads in HashiCorp Nomad
Details

Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root. There are currently no known workarounds. Users are recommended to upgrade as soon as possible to avoid this issue.

References

Affected packages

Go / github.com/hashicorp/nomad

Package

Name
github.com/hashicorp/nomad
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/nomad

Affected ranges

Type
SEMVER
Events
Introduced
0.9.2
Fixed
1.0.18

Go / github.com/hashicorp/nomad

Package

Name
github.com/hashicorp/nomad
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/nomad

Affected ranges

Type
SEMVER
Events
Introduced
1.1.0
Fixed
1.1.12

Go / github.com/hashicorp/nomad

Package

Name
github.com/hashicorp/nomad
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/nomad

Affected ranges

Type
SEMVER
Events
Introduced
1.2.0
Fixed
1.2.6