Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-1329

HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. This vulnerability, CVE-2024-1329, is fixed in Nomad 1.7.4, 1.6.7, and 1.5.14.

Published

2024-02-08T20:15:52.643

Last Modified

2024-11-21T08:50:20.753

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.7 (HIGH)

Weaknesses

Type: Secondary
CWE-59
Type: Primary
CWE-610

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	hashicorp	nomad	< 1.5.14	Yes
Application	hashicorp	nomad	< 1.6.7	Yes
Application	hashicorp	nomad	< 1.7.4	Yes
Application	hashicorp	nomad	< 1.5.14	Yes
Application	hashicorp	nomad	< 1.6.7	Yes
Application	hashicorp	nomad	< 1.7.4	Yes

References

https://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack Vendor Advisory ([email protected])
https://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)