VYPR

Go modules package

github.com/hashicorp/nomad

pkg:golang/github.com/hashicorp/nomad

Vulnerabilities (32)

  • CVE-2022-24683Feb 17, 2022
    affected >= 0.9.2, < 1.0.18fixed 1.0.18

    HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root.

  • CVE-2022-24684Feb 15, 2022
    affected >= 0.9.0, < 1.0.18fixed 1.0.18

    HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6.

  • CVE-2022-24686Feb 14, 2022
    affected >= 0.3.0, < 1.0.18fixed 1.0.18

    HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download functionality has a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. Fixed in 1.0.18, 1.1.12, and 1.2.6

  • CVE-2021-43415Dec 3, 2021
    affected < 1.0.14fixed 1.0.14

    HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.

  • CVE-2021-37218Sep 7, 2021
    affected < 1.0.10fixed 1.0.10

    HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.0.10 and 1.1.4.

  • CVE-2021-32575Jun 17, 2021
    affected >= 1.0.0, < 1.0.5fixed 1.0.5

    HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.

  • CVE-2021-3283Feb 1, 2021
    affected >= 1.0.0, < 1.0.3fixed 1.0.3

    HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same node. Fixed in 0.12.10, and 1.0.3.

  • CVE-2020-28348Nov 24, 2020
    affected >= 0.9.0, < 0.10.8fixed 0.10.8

    HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type. Fixed in 0.12.8, 0.11.7, and 0.10.8.

  • CVE-2020-27195Oct 22, 2020
    affected >= 0.9.0, < 0.10.6fixed 0.10.6

    HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature can be subverted using either the template or artifact stanzas. Fixed in 0.12.6, 0.11.5, and 0.10.6

  • CVE-2020-7956Jan 31, 2020
    affected < 0.10.3fixed 0.10.3

    HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3.

  • CVE-2020-7218Jan 31, 2020
    affected < 0.10.3fixed 0.10.3

    HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 0.10.3.

  • CVE-2019-12618Aug 12, 2019
    affected >= 0.9.0, < 0.9.2fixed 0.9.2

    HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via the exec driver.

Page 2 of 2