CVE-2024-1329

HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. This vulnerability, CVE-2024-1329, is fixed in Nomad 1.7.4, 1.6.7, and 1.5.14.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:hashicorp:nomad:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:nomad:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:nomad:*:*:*:*:-:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*

History

21 Nov 2024, 08:50

Type Values Removed Values Added
References () https://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack - Vendor Advisory () https://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack - Vendor Advisory
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 7.7

26 Sep 2024, 18:15

Type Values Removed Values Added
Summary (en) HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. Fixed in Nomad 1.7.4, 1.6.7, 1.5.14. (en) HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. This vulnerability, CVE-2024-1329, is fixed in Nomad 1.7.4, 1.6.7, and 1.5.14.
CWE CWE-59

15 Feb 2024, 18:27

Type Values Removed Values Added
Summary
  • (es) HashiCorp Nomad y Nomad Enterprise 1.5.13 hasta 1.6.6 y 1.7.3 el renderizador de plantillas es vulnerable a la escritura de archivos arbitrarios en el host como usuario del cliente Nomad a través de ataques de enlaces simbólicos. Corregido en Nomad 1.7.4, 1.6.7, 1.5.14.
CVSS v2 : unknown
v3 : 7.7
v2 : unknown
v3 : 7.5
References () https://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack - () https://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack - Vendor Advisory
First Time Hashicorp
Hashicorp nomad
CPE cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:hashicorp:nomad:*:*:*:*:-:*:*:*

08 Feb 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-08 20:15

Updated : 2024-11-21 08:50


NVD link : CVE-2024-1329

Mitre link : CVE-2024-1329

CVE.ORG link : CVE-2024-1329


JSON object : View

Products Affected

hashicorp

  • nomad
CWE
CWE-59

Improper Link Resolution Before File Access ('Link Following')

CWE-610

Externally Controlled Reference to a Resource in Another Sphere