Lucene search

GoogleOSV:GO-2024-3073

HistoryAug 19, 2024 - 5:26 p.m.

Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking in github.com/hashicorp/nomad

2024-08-1917:26:34

Google

osv.dev

nomad

vulnerability

archive unpacking

github

hashicorp

CVSS3

5.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

AI Score

6.6

Confidence

Low

JSON

Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking in github.com/hashicorp/nomad.

NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.

(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)

The additional affected modules and versions are: github.com/hashicorp/nomad from v0.6.1 before v1.6.14, from v1.7.0 before v1.7.11, from v1.8.0 before v1.8.3.

References

discuss.hashicorp.com/t/hcsec-2024-17-nomad-vulnerable-to-allocation-directory-escape-on-non-existing-file-paths-through-archive-unpacking/69293

github.com/advisories/GHSA-25qx-vfw2-fw8r

nvd.nist.gov/vuln/detail/CVE-2024-7625

CVSS3

5.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

AI Score

6.6

Confidence

Low

JSON

Related for OSV:GO-2024-3073