VYPR
Moderate severityNVD Advisory· Published Aug 14, 2024· Updated Jan 9, 2025

Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking

CVE-2024-7625

Description

In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of allocation directories when multiple archive headers target the same file. This vulnerability, CVE-2024-7625, is fixed in Nomad 1.6.14, 1.7.11, and 1.8.3. Access or compromise of the Nomad client agent at the source allocation first is a prerequisite for leveraging this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/hashicorp/nomadGo
>= 0.6.1, < 1.6.141.6.14
github.com/hashicorp/nomadGo
>= 1.7.0, < 1.7.111.7.11
github.com/hashicorp/nomadGo
>= 1.8.0, < 1.8.31.8.3

Affected products

3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.