VYPR

Nomad

by Hashicorp

Source repositories

CVEs (27)

  • CVE-2023-1782CriApr 5, 2023
    risk 0.64cvss 9.9epss 0.01

    HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.

  • CVE-2025-4922HigJun 11, 2025
    risk 0.53cvss 8.1epss 0.00

    Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.

  • CVE-2026-7474HigMay 12, 2026
    risk 0.51cvss 8.8epss 0.07

    HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.

  • CVE-2022-24685HigFeb 28, 2022
    risk 0.49cvss 7.5epss 0.02

    HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6.

  • CVE-2023-1299HigMar 14, 2023
    risk 0.48cvss 7.4epss 0.01

    HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1.

  • CVE-2025-0937HigFeb 12, 2025
    risk 0.46cvss 7.1epss 0.00

    Nomad Community and Nomad Enterprise ("Nomad") event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other namespaces.

  • CVE-2024-10975HigNov 7, 2024
    risk 0.43cvss 7.7epss 0.00

    Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community…

  • CVE-2024-6717HigJul 23, 2024
    risk 0.43cvss 7.7epss 0.00

    HashiCorp Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1 archive unpacking during migration is vulnerable to path escaping of the allocation directory. This vulnerability, CVE-2024-6717, is fixed in Nomad 1.6.13, 1.7.10, and 1.8.2.

  • CVE-2024-1329HigFeb 8, 2024
    risk 0.43cvss 7.7epss 0.01

    HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. This vulnerability, CVE-2024-1329, is fixed in Nomad 1.7.4, 1.6.7, and 1.5.14.

  • CVE-2023-0821MedFeb 16, 2023
    risk 0.42cvss 6.5epss 0.01

    HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4.

  • CVE-2022-41606MedOct 12, 2022
    risk 0.42cvss 6.5epss 0.01

    HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0.

  • CVE-2021-41865MedOct 7, 2021
    risk 0.42cvss 6.5epss 0.01

    HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submission capabilities to cause denial of service by submitting incomplete job specifications with a Consul mesh gateway and host networking mode. Fixed in 1.1.6.

  • CVE-2024-7625MedAug 15, 2024
    risk 0.38cvss 5.8epss 0.00

    In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of allocation directories when multiple archive headers target the same file. This…

  • CVE-2022-24686MedFeb 14, 2022
    risk 0.38cvss 5.9epss 0.01

    HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download functionality has a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. Fixed in 1.0.18, 1.1.12, and 1.2.6

  • CVE-2025-1296MedMar 10, 2025
    risk 0.35cvss 6.5epss 0.00

    Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise…

  • CVE-2024-12678MedDec 20, 2024
    risk 0.35cvss 6.5epss 0.01

    Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise…

  • CVE-2020-10944MedApr 28, 2020
    risk 0.35cvss 5.4epss 0.01

    HashiCorp Nomad and Nomad Enterprise up to 0.10.4 contained a cross-site scripting vulnerability such that files from a malicious workload could cause arbitrary JavaScript to execute in the web UI. Fixed in 0.10.5.

  • CVE-2024-23586MedSep 27, 2024
    risk 0.34cvss 5.3epss 0.00

    HCL Nomad is susceptible to an insufficient session expiration vulnerability.   Under certain circumstances, an unauthenticated attacker could obtain old session information.

  • CVE-2026-8052MedMay 12, 2026
    risk 0.32cvss 6.0epss 0.00

    HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver.

  • CVE-2026-6959MedMay 12, 2026
    risk 0.32cvss 6.0epss 0.00

    HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.

Page 1 of 2