Moderate severityNVD Advisory· Published Aug 14, 2024· Updated Jan 9, 2025
Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking
CVE-2024-7625
Description
In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of allocation directories when multiple archive headers target the same file. This vulnerability, CVE-2024-7625, is fixed in Nomad 1.6.14, 1.7.11, and 1.8.3. Access or compromise of the Nomad client agent at the source allocation first is a prerequisite for leveraging this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/nomadGo | >= 0.6.1, < 1.6.14 | 1.6.14 |
github.com/hashicorp/nomadGo | >= 1.7.0, < 1.7.11 | 1.7.11 |
github.com/hashicorp/nomadGo | >= 1.8.0, < 1.8.3 | 1.8.3 |
Affected products
3- Range: 0.6.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.