CVE-2022-30324

Vulnerability

HashiCorp Nomad and Nomad Enterprise versions 0.2.0 up to 1.3.0 are affected by multiple vulnerabilities in the go-getter library, identified as CVE-2022-26945, CVE-2022-30321, CVE-2022-30322, and CVE-2022-30323 [4]. These vulnerabilities are exposed through the artifact stanza, which Nomad uses to retrieve files for jobs [4]. A specially crafted jobspec can trigger unsafe operations in go-getter, allowing an attacker to escape the intended artifact retrieval mechanism [4]. The affected Nomad versions include all releases from 0.2.0 through 1.3.0 [2][4].

Exploitation

An attacker requires the ability to submit jobs to a Nomad cluster [4]. By crafting a malicious artifact stanza in a job specification, the attacker can leverage the go-getter flaws to execute arbitrary commands or access unintended files on the Nomad client agent host [4]. No additional authentication or network position is needed beyond the standard job submission permissions, making this a realistic attack vector for operators with job creation rights [4].

Impact

Successful exploitation results in privilege escalation on the Nomad client agent host [1][4]. The attacker can gain code execution at the privilege level of the Nomad client process, potentially leading to full compromise of the client node, including access to sensitive data and the ability to launch further attacks [4].

Mitigation

The vulnerabilities are fixed in Nomad and Nomad Enterprise versions 1.1.14, 1.2.8, and 1.3.1 [2][4]. Users should upgrade to one of these fixed versions or later [4]. No workarounds have been identified; upgrading is the only remediation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the advisory date.