VYPR

Go modules package

github.com/hashicorp/nomad

pkg:golang/github.com/hashicorp/nomad

Vulnerabilities (32)

  • CVE-2025-4922Jun 11, 2025
    affected < 1.10.2fixed 1.10.2

    Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.

  • CVE-2025-1296Mar 10, 2025
    affected <= 1.9.6

    Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8

  • CVE-2024-12678Dec 20, 2024
    affected < 1.9.4fixed 1.9.4

    Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4

  • CVE-2024-10975Nov 7, 2024
    affected <= 1.9.1

    Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Editi

  • CVE-2024-7625Aug 14, 2024
    affected >= 0.6.1, < 1.6.14fixed 1.6.14

    In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of allocation directories when multiple archive headers target the same file. This vulnerabi

  • CVE-2024-6717Jul 23, 2024
    affected < 1.8.2fixed 1.8.2

    HashiCorp Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1 archive unpacking during migration is vulnerable to path escaping of the allocation directory. This vulnerability, CVE-2024-6717, is fixed in Nomad 1.6.13, 1.7.10, and 1.8.2.

  • CVE-2024-1329Feb 8, 2024
    affected >= 1.5.13, < 1.5.14fixed 1.5.14

    HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. This vulnerability, CVE-2024-1329, is fixed in Nomad 1.7.4, 1.6.7, and 1.5.14.

  • CVE-2023-3300Jul 19, 2023
    affected >= 0.11.0, < 1.4.11fixed 1.4.11

    HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. Fixed in 1.6.0, 1.5.7, and 1.4.1.

  • CVE-2023-3299Jul 19, 2023
    affected >= 1.2.11, < 1.4.11fixed 1.4.11

    HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.

  • CVE-2023-3072Jul 19, 2023
    affected >= 0.7.0, < 1.4.11fixed 1.4.11

    HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.

  • CVE-2023-1782Apr 5, 2023
    affected >= 1.5.0, < 1.5.3fixed 1.5.3

    HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.

  • CVE-2023-1299Mar 14, 2023
    affected >= 1.5.0, < 1.5.1fixed 1.5.1

    HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1.

  • CVE-2023-1296Mar 14, 2023
    affected >= 1.4.0, < 1.4.6fixed 1.4.6

    HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1.

  • CVE-2023-0821Feb 16, 2023
    affected >= 1.2.15, < 1.2.16fixed 1.2.16

    HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4.

  • CVE-2019-14802Dec 26, 2022
    affected < 0.9.5fixed 0.9.5

    HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. This applies to nomad/client/allocrunner/taskrunner/template.

  • CVE-2022-3867Nov 10, 2022
    affected >= 1.4.0, < 1.4.2fixed 1.4.2

    HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2.

  • CVE-2022-3866Nov 10, 2022
    affected >= 1.4.0, < 1.4.2fixed 1.4.2

    HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2.

  • CVE-2022-41606Oct 11, 2022
    affected < 1.2.13fixed 1.2.13

    HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0.

  • CVE-2022-30324May 27, 2022
    affected >= 0.2.0, < 1.1.14fixed 1.1.14

    HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were impacted by go-getter vulnerabilities enabling privilege escalation through the artifact stanza in submitted jobs onto the client agent host. Fixed in 1.1.14, 1.2.8, and 1.3.1.

  • CVE-2022-24685Feb 28, 2022
    affected >= 1.0.0, < 1.0.17fixed 1.0.17

    HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6.

Page 1 of 2