VYPR

Nomad Enterprise

by Hashicorp

Source repositories

CVEs (25)

  • CVE-2023-1782CriApr 5, 2023
    risk 0.64cvss 9.9epss 0.01

    HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.

  • CVE-2022-30324CriJun 2, 2022
    risk 0.64cvss 9.8epss 0.01

    HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were impacted by go-getter vulnerabilities enabling privilege escalation through the artifact stanza in submitted jobs onto the client agent host. Fixed in 1.1.14, 1.2.8, and 1.3.1.

  • CVE-2025-4922HigJun 11, 2025
    risk 0.53cvss 8.1epss 0.00

    Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.

  • CVE-2026-7474HigMay 12, 2026
    risk 0.51cvss 8.8epss 0.07

    HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.

  • CVE-2025-3744HigMay 13, 2025
    risk 0.49cvss 7.6epss 0.00

    Nomad Enterprise (“Nomad”) jobs using the policy override option are bypassing the mandatory sentinel policies. This vulnerability, identified as CVE-2025-3744, is fixed in Nomad Enterprise 1.10.1, 1.9.9, and 1.8.13.

  • CVE-2023-1299HigMar 14, 2023
    risk 0.48cvss 7.4epss 0.01

    HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1.

  • CVE-2025-0937HigFeb 12, 2025
    risk 0.46cvss 7.1epss 0.00

    Nomad Community and Nomad Enterprise ("Nomad") event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other namespaces.

  • CVE-2024-10975HigNov 7, 2024
    risk 0.43cvss 7.7epss 0.00

    Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community…

  • CVE-2024-6717HigJul 23, 2024
    risk 0.43cvss 7.7epss 0.00

    HashiCorp Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1 archive unpacking during migration is vulnerable to path escaping of the allocation directory. This vulnerability, CVE-2024-6717, is fixed in Nomad 1.6.13, 1.7.10, and 1.8.2.

  • CVE-2024-1329HigFeb 8, 2024
    risk 0.43cvss 7.7epss 0.01

    HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. This vulnerability, CVE-2024-1329, is fixed in Nomad 1.7.4, 1.6.7, and 1.5.14.

  • CVE-2023-0821MedFeb 16, 2023
    risk 0.42cvss 6.5epss 0.01

    HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4.

  • CVE-2022-24683HigFeb 17, 2022
    risk 0.42cvss 7.5epss 0.02

    HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root.

  • CVE-2022-24684MedFeb 15, 2022
    risk 0.42cvss 6.5epss 0.01

    HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6.

  • CVE-2021-41865MedOct 7, 2021
    risk 0.42cvss 6.5epss 0.01

    HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submission capabilities to cause denial of service by submitting incomplete job specifications with a Consul mesh gateway and host networking mode. Fixed in 1.1.6.

  • CVE-2024-7625MedAug 15, 2024
    risk 0.38cvss 5.8epss 0.00

    In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of allocation directories when multiple archive headers target the same file. This…

  • CVE-2025-1296MedMar 10, 2025
    risk 0.35cvss 6.5epss 0.00

    Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise…

  • CVE-2024-12678MedDec 20, 2024
    risk 0.35cvss 6.5epss 0.01

    Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise…

  • CVE-2020-10944MedApr 28, 2020
    risk 0.35cvss 5.4epss 0.01

    HashiCorp Nomad and Nomad Enterprise up to 0.10.4 contained a cross-site scripting vulnerability such that files from a malicious workload could cause arbitrary JavaScript to execute in the web UI. Fixed in 0.10.5.

  • CVE-2026-6959MedMay 12, 2026
    risk 0.32cvss 6.0epss 0.00

    HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.

  • CVE-2023-3300MedJul 20, 2023
    risk 0.27cvss 5.3epss 0.00

    HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. Fixed in 1.6.0, 1.5.7, and 1.4.1.

Page 1 of 2