CVE-2022-41606 - OpenCVE

HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Hashicorp	Nomad

Configuration 1 [-]

OR	cpe:2.3:a:hashicorp:nomad:::::-:::*
	cpe:2.3:a:hashicorp:nomad:::::enterprise:::*
	cpe:2.3:a:hashicorp:nomad:::::-:::*
	cpe:2.3:a:hashicorp:nomad:::::enterprise:::*

References

Link	Resource
https://discuss.hashicorp.com	Vendor Advisory
https://discuss.hashicorp.com/t/hcsec-2022-22-nomad-panics-on-job-submission-with-bad-artifact-stanza-source-url/45420	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-11T00:00:00

Updated: 2022-10-11T00:00:00

Reserved: 2022-09-27T00:00:00

Link: CVE-2022-41606

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-10-12T00:15:10.537

Modified: 2022-10-13T17:16:16.880

Link: CVE-2022-41606

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:nomad:*:*:*:*:-:*:*:*", "matchCriteriaId": "8043FBD6-1363-4829-8635-FFE486F76986", "versionEndExcluding": "1.2.13", "versionStartIncluding": "1.0.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "41143EB3-7927-4C48-887E-2D6B6AFF1A15", "versionEndExcluding": "1.2.13", "versionStartIncluding": "1.0.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:nomad:*:*:*:*:-:*:*:*", "matchCriteriaId": "5A97DD24-5BA6-4D1A-8712-0C6C852AD00B", "versionEndExcluding": "1.3.6", "versionStartIncluding": "1.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "582537C8-CF33-40C5-BA50-066DF02A00A9", "versionEndExcluding": "1.3.6", "versionStartIncluding": "1.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0."}, {"lang": "es", "value": "Los trabajos de HashiCorp Nomad y Nomad Enterprise versiones 1.0.2 hasta 1.2.12, y 1.3.5, enviados con una estrofa de artefacto usando URLs S3 o GCS no v\u00e1lidas pueden ser usados para bloquear los agentes cliente. Corregido en versiones 1.2.13, 1.3.6 y 1.4.0"}], "id": "CVE-2022-41606", "lastModified": "2022-10-13T17:16:16.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-12T00:15:10.537", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2022-22-nomad-panics-on-job-submission-with-bad-artifact-stanza-source-url/45420"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}