Lucene search
+L
HashicorpNomad

36 matches found

CVE
CVE
added 2023/07/19 11:35 p.m.2518 views

CVE-2023-3300

HashiCorp Nomad and Nomad Enterprise expose a vulnerability (CVE-2023-3300) where the HTTP search API can reveal names of available CSI plugins to unauthenticated users or those without the plugin:read policy. Affected versions are Nomad/Nomad Enterprise 0.11.0 through 1.5.6 and 1.4.1. The issue ...

5.3CVSS5.2AI score0.0047EPSS
CVE
CVE
added 2022/02/15 2:4 p.m.150 views

CVE-2022-24684

HashiCorp Nomad and Nomad Enterprise versions affected: 0.9.0 through 1.0.16, 1.1.11, and 1.2.5. The issue arises when operators with job-submit capabilities use the spread stanza, which can panic Nomad server agents. The root cause is tied to the spread stanza handling within these releases, and...

6.5CVSS6.3AI score0.01396EPSS
CVE
CVE
added 2022/02/17 4:36 p.m.147 views

CVE-2022-24683

HashiCorp Nomad and Nomad Enterprise 0.9.2–1.0.17, 1.1.11, and 1.2.5 are reported vulnerable. The issue allows operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem with root privileges. The CVE entry details the affected product/version...

7.8CVSS7.3AI score0.01539EPSS
CVE
CVE
added 2022/02/28 1:26 p.m.136 views

CVE-2022-24685

HashiCorp Nomad and Nomad Enterprise were affected in versions 1.0.17, 1.1.11, and 1.2.5 due to invalid HCL in the jobs parse endpoint, which could cause excessive CPU usage (DoS). The issue is resolved in 1.0.18, 1.1.12, and 1.2.6. No exploitation details are provided in the sources.

7.5CVSS7.4AI score0.01524EPSS
CVE
CVE
added 2022/02/14 1:54 p.m.130 views

CVE-2022-24686

CVE-2022-24686 affects HashiCorp Nomad and Nomad Enterprise, where artifact download for the Nomad client agent can race-condition and overwrite the wrong artifact into the wrong destination. Affected versions are 0.3.0 through 1.0.17, 1.1.11, and 1.2.5. The issue is fixed in 1.0.18, 1.1.12, and ...

5.9CVSS5.5AI score0.00863EPSS
CVE
CVE
added 2022/12/26 12:0 a.m.123 views

CVE-2019-14802

CVE-2019-14802 affects HashiCorp Nomad versions 0.5.0–0.9.4, where unintended environment variables are exposed to the rendering task during template rendering in nomad/client/allocrunner/taskrunner/template. Root cause: environment variables leak during template rendering. Impact: partial inform...

5.3CVSS5.1AI score0.00589EPSS
CVE
CVE
added 2021/09/07 11:40 a.m.115 views

CVE-2021-37218

CVE-2021-37218 affects HashiCorp Nomad and Nomad Enterprise, specifically the Raft RPC layer. The issue allows non-server agents presenting a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Affected versions were fixed in Nomad 1.0.10 an...

8.8CVSS8.5AI score0.00689EPSS
CVE
CVE
added 2020/01/31 12:26 p.m.112 views

CVE-2020-7218

CVE-2020-7218 affects HashiCorp Nomad and Nomad Enterprise up to version 0.10.2, where HTTP/RPC services allowed unbounded resource usage and could suffer unauthenticated denial of service. The issue is fixed in 0.10.3. Connected documents corroborate the vulnerability pattern and remediation; ex...

7.5CVSS7.3AI score0.01466EPSS
CVE
CVE
added 2021/06/17 6:28 p.m.107 views

CVE-2021-32575

HashiCorp Nomad and Nomad Enterprise up to v1.0.4 are affected by an ARP spoofing risk in bridge networking mode, allowing bridged tasks on the same node to spoof each other’s ARP replies. Root cause: bridge networking isolation weakness within Nomad’s task networking. Impact: potential compromis...

6.5CVSS6.2AI score0.00512EPSS
CVE
CVE
added 2020/11/24 2:31 a.m.104 views

CVE-2020-28348

HashiCorp Nomad and Nomad Enterprise vulnerable to a path traversal issue in the client Dockerfile sandbox feature for 0.9.0–0.12.7, potentially subverting isolation when not disabled or with volume mounts. Fixed in 0.12.8, 0.11.7, and 0.10.8. Upgrade to one of these versions (or apply vendor gui...

6.5CVSS6.3AI score0.01631EPSS
CVE
CVE
added 2019/08/12 4:49 p.m.103 views

CVE-2019-12618

CVE-2019-12618 affects HashiCorp Nomad 0.9.0–0.9.1 with Incorrect Access Control via the exec driver. Root cause described as an access control error leading to privilege escalation via the exec driver. A fix is available in Nomad 0.9.2 (and later); update recommended. No exploitation details are...

10CVSS9.4AI score0.02421EPSS
CVE
CVE
added 2022/05/27 2:48 p.m.103 views

CVE-2022-30324

CVE-2022-30324 affects HashiCorp Nomad and Nomad Enterprise versions 0.2.0 up to 1.3.0. The underlying issue is a go-getter vulnerability in the artifact stanza that enables privilege escalation on the client agent host. Fixes are provided in Nomad/Nomad Enterprise versions 1.1.14, 1.2.8, and 1.3...

9.8CVSS9.7AI score0.01325EPSS
CVE
CVE
added 2021/12/03 9:20 p.m.101 views

CVE-2021-43415

CVE-2021-43415 affects HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0 when the QEMU task driver is enabled. Authenticated users with job submission capabilities could bypass the configured allowed image paths due to the underlying issue in the QEMU task driver handling. Fixed...

8.8CVSS8.2AI score0.01182EPSS
CVE
CVE
added 2023/03/14 2:46 p.m.101 views

CVE-2023-1299

CVE-2023-1299 affects HashiCorp Nomad and Nomad Enterprise 1.5.0, where a job submitter can escalate to management-level privileges via the workload identity and task API. Root cause (as described in related advisories): the workload identity token can be exposed to the workload through a unix do...

8.8CVSS8AI score0.00532EPSS
CVE
CVE
added 2020/10/22 4:19 p.m.93 views

CVE-2020-27195

CVE-2020-27195 affects HashiCorp Nomad and Nomad Enterprise where the client file sandbox feature can be subverted via the template or artifact stanzas in versions 0.9.0 through 0.12.5. The issue has been fixed in 0.12.6, 0.11.5, and 0.10.6. Affected component: client file sandbox; root cause: sa...

9.1CVSS9.1AI score0.01491EPSS
CVE
CVE
added 2023/03/14 2:45 p.m.93 views

CVE-2023-1296

HashiCorp Nomad and Nomad Enterprise were vulnerable where deny policies on a workload’s variables were not enforced. Affected versions: Nomad/Nomad Enterprise 1.4.0 up to 1.5.0. Root cause involves ACL/deny policy enforcement for workload variables. Impact per sources is limited to confidential ...

5.3CVSS4.4AI score0.0054EPSS
CVE
CVE
added 2021/02/01 3:36 p.m.88 views

CVE-2021-3283

CVE-2021-3283 affects HashiCorp Nomad and Nomad Enterprise up to version 0.12.9, where the exec and Java task drivers could access processes belonging to other tasks on the same node due to insufficient isolation. The underlying impact is elevated exposure of running task processes on a shared no...

7.5CVSS7.3AI score0.01453EPSS
CVE
CVE
added 2023/02/16 9:23 p.m.87 views

CVE-2023-0821

CVE-2023-0821 affects HashiCorp Nomad and Nomad Enterprise from versions 1.2.15 through 1.3.8, and 1.4.3, where a maliciously compressed artifact stanza source can trigger excessive disk usage. The issue is fixed in 1.2.16, 1.3.9, and 1.4.4. The connected sources provide explicit affected version...

6.5CVSS6.3AI score0.00795EPSS
CVE
CVE
added 2020/04/28 1:29 p.m.82 views

CVE-2020-10944

HashiCorp Nomad and Nomad Enterprise up to 0.10.4 contain a cross-site scripting vulnerability in the web UI triggered by files from a malicious workload; arbitrary JavaScript could execute in the UI. The issue is fixed in 0.10.5. Affected component is the Nomad web interface; root cause is a pay...

5.4CVSS5.3AI score0.0067EPSS
CVE
CVE
added 2025/03/10 6:2 p.m.82 views

CVE-2025-1296

CVE-2025-1296 affects Nomad Community Edition and Nomad Enterprise. The issue is unintentional exposure of workload identity tokens and client secret tokens in audit logs, caused by logging of sensitive credentials. Fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1....

6.5CVSS7AI score0.0046EPSS
CVE
CVE
added 2022/10/11 12:0 a.m.81 views

CVE-2022-41606

CVE-2022-41606 affects HashiCorp Nomad and Nomad Enterprise releases from 1.0.2 up to 1.2.12 and 1.3.5. Submitting jobs with an artifact stanza containing invalid S3 or GCS URLs can crash client agents. The issue is fixed in Nomad/Nomad Enterprise 1.2.13, 1.3.6, and 1.4.0. No exploitation details...

6.5CVSS6.3AI score0.00716EPSS
CVE
CVE
added 2025/02/12 6:59 p.m.81 views

CVE-2025-0937

Summary: CVE-2025-0937 affects Nomad Community and Nomad Enterprise. An event stream configured with a wildcard namespace can bypass ACL policy, allowing reads from other namespaces. What’s affected: Nomad’s event stream endpoint within Nomad Community and Nomad Enterprise. The underlying issue i...

7.1CVSS7AI score0.0043EPSS
CVE
CVE
added 2025/06/11 1:24 p.m.78 views

CVE-2025-4922

CVE-2025-4922 affects Nomad Community Edition and Nomad Enterprise where a prefix-based ACL policy lookup can cause incorrect rule application and shadowing. Root cause details are not fully elaborated beyond this behavior in the provided documents, but fixes are specified: Nomad Community Editio...

8.1CVSS8AI score0.00484EPSS
CVE
CVE
added 2024/12/20 1:49 a.m.77 views

CVE-2024-12678

Nomad CVE-2024-12678 affects Nomad Community Edition and Nomad Enterprise allocations, where privilege escalation within a namespace can occur via unredacted workload identity tokens. Affected versions: Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16. Root cause: unred...

6.5CVSS6.6AI score0.00541EPSS
CVE
CVE
added 2020/01/31 12:43 p.m.75 views

CVE-2020-7956

CVE-2020-7956 affects HashiCorp Nomad and Nomad Enterprise up to 0.10.2. The root cause is incorrect validation of the role/region associated with TLS certificates used for mTLS RPC, which could lead to privilege escalation. A fix is available in version 0.10.3 (Nomad/Nomad Enterprise). The conne...

9.8CVSS9.4AI score0.00983EPSS
CVE
CVE
added 2023/04/05 7:10 p.m.75 views

CVE-2023-1782

CVE-2023-1782 affects HashiCorp Nomad and Nomad Enterprise versions 1.5.0 through 1.5.2, where unauthenticated users can bypass ACL authorizations in clusters that do not use mTLS. Root cause: ACL bypass due to missing/authz checks under non-mTLS configurations. Impact is described as total acces...

9.9CVSS9.2AI score0.00759EPSS
CVE
CVE
added 2021/10/07 1:48 p.m.73 views

CVE-2021-41865

CVE-2021-41865 affects HashiCorp Nomad and Nomad Enterprise 1.1.1–1.1.5. The issue arises in the job submission flow when using a Consul mesh gateway with host networking mode, where authenticated users with submission capabilities can submit incomplete job specifications and trigger denial of se...

6.5CVSS6.2AI score0.00967EPSS
CVE
CVE
added 2022/11/10 5:34 a.m.69 views

CVE-2022-3866

CVE-2022-3866 affects HashiCorp Nomad and Nomad Enterprise versions 1.4.0 through 1.4.1, where the workload identity token could list non-sensitive metadata for paths under the nomad/ namespace that belong to other jobs in the same namespace. The issue is fixed in version 1.4.2. The documented im...

5CVSS4.6AI score0.00508EPSS
CVE
CVE
added 2024/02/08 7:20 p.m.65 views

CVE-2024-1329

CVE-2024-1329 affects HashiCorp Nomad and Nomad Enterprise (1.5.13 up to 1.6.6, and 1.7.3) where the template renderer allows arbitrary file write on the host via symlink attacks, executable by the Nomad client user. Root cause is a symlink/templating path exposure enabling host file writes. Impa...

7.7CVSS7.4AI score0.00617EPSS
CVE
CVE
added 2024/07/23 12:16 a.m.64 views

CVE-2024-6717

HashiCorp Nomad and Nomad Enterprise versions 1.6.12 up to 1.7.9, and 1.8.1 are affected by CVE-2024-6717 due to path escaping of the allocation directory during archive unpacking in migration. The fixed releases are Nomad 1.6.13, 1.7.10, and 1.8.2. Near-term risk is a potential path traversal du...

8.6CVSS7.5AI score0.00388EPSS
CVE
CVE
added 2022/11/10 5:45 a.m.63 views

CVE-2022-3867

CVE-2022-3867 affects HashiCorp Nomad and Nomad Enterprise versions 1.4.0–1.4.1, where event stream subscribers using a TTL token can continue to receive updates until the token is garbage-collected. The underlying issue is tied to how TTL tokens are handled for event stream subscriptions, allowi...

4.3CVSS4.1AI score0.00462EPSS
CVE
CVE
added 2023/07/19 11:34 p.m.63 views

CVE-2023-3072

CVE-2023-3072 affects HashiCorp Nomad and Nomad Enterprise: ACL policies using a block without a label can be applied to unexpected resources. Impact is stated as unexpected policy application to resources; affected versions are Nomad 0.7.0–1.5.6 and Nomad Enterprise 1.4.10 (also listed as 1.4.10...

4.1CVSS4.1AI score0.00364EPSS
CVE
CVE
added 2024/11/07 9:4 p.m.58 views

CVE-2024-10975

CVE-2024-10975 affects HashiCorp Nomad: Nomad Community Edition prior to 1.9.2 and Nomad Enterprise prior to 1.9.2, 1.8.7, or 1.7.15. The issue allows arbitrary cross-namespace volume creation via unauthorized CSI writes, with CVSS v3.1 base score 7.7 (HIGH): network attack vector, requiring low ...

7.7CVSS7.3AI score0.00456EPSS
CVE
CVE
added 2024/08/14 11:20 p.m.58 views

CVE-2024-7625

Vulnerability summary (CVE-2024-7625) : HashiCorp Nomad and Nomad Enterprise prior to fixed versions are affected by an archive-unpacking bug that allows writes outside the allocation directory during migration when multiple archive headers target the same file. A prerequisite is access or compro...

5.8CVSS5.4AI score0.00333EPSS
CVE
CVE
added 2025/05/13 6:40 p.m.58 views

CVE-2025-3744

CVE-2025-3744 affects HashiCorp Nomad Enterprise: when using the policy override option, Nomad Enterprise jobs can bypass mandatory sentinel policies. Root cause details are not explicitly enumerated beyond this bypass behavior, but the vulnerability is quantified as high severity (CVSS v3.1: 7.6...

7.6CVSS7.4AI score0.00237EPSS
CVE
CVE
added 2023/07/19 11:35 p.m.57 views

CVE-2023-3299

The CVE-2023-3299 entry affects HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10. The underlying issue is that ACL policies using a block without a label generate unexpected results. A fix is available in Nomad Enterprise 1.6.0, as well as 1.5.7 and 1.4.11. The provided documents do not ...

3.4CVSS3.5AI score0.00493EPSS