HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.
References
Link | Resource |
---|---|
https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288 | Mitigation Vendor Advisory |
https://www.hashicorp.com/blog/category/nomad | Product Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-12-03T21:20:12
Updated: 2021-12-03T21:20:12
Reserved: 2021-11-08T00:00:00
Link: CVE-2021-43415
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-12-03T22:15:07.757
Modified: 2023-08-08T14:22:24.967
Link: CVE-2021-43415
JSON object: View
Redhat Information
No data.
CWE