cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-12678,https://securityvulnerability.io/vulnerability/CVE-2024-12678,Privilege Escalation Vulnerability in HashiCorp Nomad Allocations,"The vulnerability identified as CVE-2024-12678 affects HashiCorp's Nomad Community and Enterprise editions, enabling privilege escalation within a namespace due to the exposure of unredacted workload identity tokens. This security flaw can potentially allow an attacker to gain elevated permissions, compromising the integrity and security of the affected system. The issue has been addressed in the latest versions released by HashiCorp, ensuring that users can secure their environments and maintain operational safety.",Hashicorp,"Nomad,Nomad Enterprise",6.5,MEDIUM,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-20T01:49:40.583Z,0
CVE-2024-10975,https://securityvulnerability.io/vulnerability/CVE-2024-10975,Arbitrary Cross-Namespace Volume Creation Vulnerability,"The Nomad volume specification is susceptible to a vulnerability that permits arbitrary cross-namespace volume creation. This occurs due to unauthorized writes via the Container Storage Interface (CSI), which does not adequately enforce proper permissions. Attackers can exploit this vulnerability to interfere with or manipulate volumes across different namespaces, potentially leading to data leaks or unauthorized access to sensitive information. The issue has been addressed in the releases of Nomad Community Edition 1.9.2 and Nomad Enterprise versions 1.9.2, 1.8.7, and 1.7.15.",Hashicorp,"Nomad,Nomad Enterprise",7.7,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-11-07T21:04:43.804Z,0
CVE-2024-7625,https://securityvulnerability.io/vulnerability/CVE-2024-7625,Nomad Archives Vulnerability: Write Access Outside Allocation Directory,"In HashiCorp Nomad and Nomad Enterprise versions from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, an issue exists within the archive unpacking process that permits unauthorized writes to locations outside of allocated directories during the migration of those directories. This occurs when multiple archive headers point to the same target file, potentially leading to significant security risks. Access to the Nomad client agent at the source allocation is required to exploit this vulnerability, which emphasizes the need for secure handling of client agent access.",Hashicorp,"Nomad,Nomad Enterprise",5.8,MEDIUM,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-08-15T00:15:00.000Z,0
CVE-2024-6717,https://securityvulnerability.io/vulnerability/CVE-2024-6717,Nomad Platform Vulnerable to Path Escape During Migration,"A vulnerability exists in HashiCorp Nomad and Nomad Enterprise due to improper handling of archive unpacking during migration processes. Specifically, versions 1.6.12 through 1.7.9 and 1.8.1 are susceptible to path escaping issues that may allow an attacker to manipulate the allocation directory. This flaw underscores the importance of upgrading to patched versions 1.6.13, 1.7.10, or 1.8.2 to prevent potential security risks. Organizations using affected versions should prioritize remediation to maintain the integrity of their deployment environments.",Hashicorp,"Nomad,Nomad Enterprise",7.7,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-07-23T01:15:00.000Z,0
CVE-2024-1329,https://securityvulnerability.io/vulnerability/CVE-2024-1329,Nomad Client User Arbitrary File Write Vulnerability,"The vulnerability in HashiCorp Nomad and Nomad Enterprise versions 1.5.13 through 1.6.6 and 1.7.3 allows for arbitrary file write capabilities on the host system. This occurs due to insufficient validation of symlink paths by the template renderer. Attackers can exploit this flaw by creating malicious symlinks that lead to unauthorized file writes. The identified issue has been resolved in subsequent releases: Nomad 1.7.4, 1.6.7, and 1.5.14, highlighting the importance of keeping software updated to mitigate such vulnerabilities.",Hashicorp,"Nomad,Nomad Enterprise",7.5,HIGH,0.0005099999834783375,false,,false,false,false,,,false,false,,2024-02-08T19:20:10.831Z,0
CVE-2023-3299,https://securityvulnerability.io/vulnerability/CVE-2023-3299,Nomad Caller ACL Token's Secret ID is Exposed to Sentinel,"HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.",Hashicorp,Nomad Enterprise,3.4,LOW,0.000539999979082495,false,,false,false,false,,,false,false,,2023-07-20T00:15:00.000Z,0
CVE-2023-3072,https://securityvulnerability.io/vulnerability/CVE-2023-3072,Nomad ACL Policies without Label are Applied to Unexpected Resources,"HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.",Hashicorp,"Nomad,Nomad Enterprise",4.1,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2023-07-20T00:15:00.000Z,0
CVE-2023-3300,https://securityvulnerability.io/vulnerability/CVE-2023-3300,Nomad Search API Leaks Information About CSI Plugins,"HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. Fixed in 1.6.0, 1.5.7, and 1.4.1.",Hashicorp,"Nomad,Nomad Enterprise",5.3,MEDIUM,0.0006500000017695129,false,,false,false,false,,,false,false,,2023-07-20T00:15:00.000Z,0
CVE-2023-1782,https://securityvulnerability.io/vulnerability/CVE-2023-1782,Nomad Unauthenticated Client Agent HTTP Request Privilege Escalation,"HashiCorp Nomad and Nomad Enterprise versions 1.5.0 to 1.5.2 are susceptible to a vulnerability that allows unauthenticated users to circumvent Access Control List (ACL) authorizations. This flaw arises in configurations where mutual Transport Layer Security (mTLS) is not enabled, potentially granting unauthorized access to cluster resources. The issue has been addressed in version 1.5.3, and users are advised to upgrade to ensure the security of their deployments.",Hashicorp,"Nomad,Nomad Enterprise",10,CRITICAL,0.0016499999910593033,false,,false,false,false,,,false,false,,2023-04-05T20:15:00.000Z,0
CVE-2023-1296,https://securityvulnerability.io/vulnerability/CVE-2023-1296,Nomad ACLs Can Not Deny Access to Workload's Own Variables,HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1.,HashiCorp,"Nomad,Nomad Enterprise",5.3,MEDIUM,0.0006099999882280827,false,,false,false,false,,,false,false,,2023-03-14T15:15:00.000Z,0
CVE-2023-1299,https://securityvulnerability.io/vulnerability/CVE-2023-1299,Nomad Job Submitter Privilege Escalation Using Workload Identity,"A vulnerability exists in HashiCorp Nomad and Nomad Enterprise version 1.5.0 that allows a job submitter to escalate their privileges to management-level access via the workload identity feature and task API. This can lead to unauthorized actions and modifications within the Nomad environment. The issue has been addressed in version 1.5.1, making it crucial for users to update and secure their systems.",HashiCorp,"Nomad,Nomad Enterprise",8.8,HIGH,0.0008699999889358878,false,,false,false,false,,,false,false,,2023-03-14T15:15:00.000Z,0
CVE-2023-0821,https://securityvulnerability.io/vulnerability/CVE-2023-0821,Nomad Client Vulnerable to Decompression Bombs in Artifact Block,"HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4.",HashiCorp,"Nomad,Nomad Enterprise",6.5,MEDIUM,0.0008099999977275729,false,,false,false,false,,,false,false,,2023-02-16T22:15:00.000Z,0
CVE-2019-14802,https://securityvulnerability.io/vulnerability/CVE-2019-14802,Environment Variable Disclosure in HashiCorp Nomad by HashiCorp,"An environment variable disclosure vulnerability was found in HashiCorp Nomad versions 0.5.0 through 0.9.4. This flaw allows unintended exposure of sensitive environment variables during the template rendering process in the components nomad/client/allocrunner/taskrunner/template. This can potentially lead to information leakage, compromising the confidentiality of sensitive data. The issue has been addressed in version 0.9.5, and users are encouraged to update their installations to mitigate the risk.",Hashicorp,Nomad,5.3,MEDIUM,0.0006099999882280827,false,,false,false,false,,,false,false,,2022-12-26T00:00:00.000Z,0
CVE-2022-3867,https://securityvulnerability.io/vulnerability/CVE-2022-3867,Nomad Event Stream Subscriber Using a Token with TTL Receives Updates Until Garbage Collected,HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2.,Hashicorp,"Nomad,Nomad Enterprise",2.7,LOW,0.000539999979082495,false,,false,false,false,,,false,false,,2022-11-10T05:45:53.550Z,0
CVE-2022-3866,https://securityvulnerability.io/vulnerability/CVE-2022-3866,Nomad Workload Identity Token Can List Non-sensitive Metadata for Paths Under nomad/,HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2.,Hashicorp,"Nomad,Nomad Enterprise",5,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2022-11-10T05:34:52.468Z,0
CVE-2022-41606,https://securityvulnerability.io/vulnerability/CVE-2022-41606,Vulnerability in HashiCorp Nomad Affects Job Submission with Invalid URLs,"HashiCorp Nomad and Nomad Enterprise versions 1.0.2 through 1.2.12 and 1.3.5 are affected by a vulnerability that allows attackers to exploit invalid S3 or GCS URLs in artifact stanzas when job submissions are made. This flaw can lead to crashes of client agents, impacting the stability and reliability of the Nomad deployment. The vulnerability has been addressed in subsequent versions 1.2.13, 1.3.6, and 1.4.0, which users are encouraged to upgrade to in order to mitigate this issue.",Hashicorp,Nomad,6.5,MEDIUM,0.0008099999977275729,false,,false,false,false,,,false,false,,2022-10-12T00:15:00.000Z,0
CVE-2022-30324,https://securityvulnerability.io/vulnerability/CVE-2022-30324,Privilege Escalation Vulnerability in HashiCorp Nomad and Nomad Enterprise,"A vulnerability in HashiCorp Nomad and Nomad Enterprise allows for privilege escalation due to improperly handled artifact stanzas in submitted jobs, potentially compromising client agent hosts. This issue affects versions 0.2.0 through 1.3.0 and has been addressed in the updates 1.1.14, 1.2.8, and 1.3.1. Users are encouraged to upgrade to mitigate potential risks.",Hashicorp,Nomad,9.8,CRITICAL,0.0024399999529123306,false,,false,false,false,,,false,false,,2022-06-02T14:15:00.000Z,0
CVE-2022-24685,https://securityvulnerability.io/vulnerability/CVE-2022-24685,Job Parsing Vulnerability in HashiCorp Nomad and Nomad Enterprise,"In HashiCorp Nomad and Nomad Enterprise, certain versions improperly validate HashiCorp Configuration Language (HCL) in the jobs parse endpoint, leading to potential scenarios of excessive CPU usage. This vulnerability is resolved in versions 1.0.18, 1.1.12, and 1.2.6, which enhance input validation mechanisms to prevent malformed job definitions from causing performance degradation.",Hashicorp,Nomad,7.5,HIGH,0.003379999892786145,false,,false,false,false,,,false,false,,2022-02-28T13:26:51.000Z,0
CVE-2022-24683,https://securityvulnerability.io/vulnerability/CVE-2022-24683,Filesystem Exposure Vulnerability in HashiCorp Nomad and Nomad Enterprise,"A vulnerability in HashiCorp Nomad and Nomad Enterprise allows malicious operators with specific capabilities to access arbitrary files on the host filesystem with root permissions. This can lead to unauthorized access to sensitive information and potential system compromise. Operators possessing 'read-fs' and 'alloc-exec' or 'job-submit' capabilities are at risk, highlighting the importance of restricting these permissions to enhance overall security posture. Users are advised to review their capabilities and implement necessary safeguards.",Hashicorp,Nomad,7.5,HIGH,0.0016599999507889152,false,,false,false,false,,,false,false,,2022-02-17T16:36:37.000Z,0
CVE-2022-24684,https://securityvulnerability.io/vulnerability/CVE-2022-24684,Server Agent Panic Vulnerability in HashiCorp Nomad,"HashiCorp Nomad and Nomad Enterprise versions from 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 contain a vulnerability that allows operators with job-submit permissions to utilize the spread stanza in a manner that can trigger a panic in server agents. This could lead to significant disruptions in service and operational stability. The issue has been addressed in subsequent releases: 1.0.18, 1.1.12, and 1.2.6.",Hashicorp,Nomad,6.5,MEDIUM,0.003019999945536256,false,,false,false,false,,,false,false,,2022-02-15T14:04:46.000Z,0
CVE-2022-24686,https://securityvulnerability.io/vulnerability/CVE-2022-24686,Race Condition in HashiCorp Nomad Affecting Artifact Downloads,"A race condition vulnerability exists in HashiCorp Nomad and Nomad Enterprise, where the artifact download functionality may allow the Nomad client agent to mistakenly download the incorrect artifact into an unintended location. This can lead to operational issues and potential data integrity risks. The issue has been addressed in versions 1.0.18, 1.1.12, and 1.2.6.",Hashicorp,Nomad,5.9,MEDIUM,0.001120000029914081,false,,false,false,false,,,false,false,,2022-02-14T13:54:07.000Z,0
CVE-2021-43415,https://securityvulnerability.io/vulnerability/CVE-2021-43415,Path Bypass Vulnerability in HashiCorp Nomad with QEMU Task Driver,"A vulnerability exists in HashiCorp Nomad and Nomad Enterprise when the QEMU task driver is enabled. Authenticated users with job submission rights could exploit this weakness to bypass the pre-configured allowed image paths, allowing potentially unsafe operations to proceed without proper path verification. This issue was addressed in versions 1.0.14, 1.1.8, and 1.2.1, which enhance security by enforcing stricter controls on image path allowances.",Hashicorp,Nomad,8.8,HIGH,0.001019999966956675,false,,false,false,false,,,false,false,,2021-12-03T21:20:12.000Z,0
CVE-2021-41865,https://securityvulnerability.io/vulnerability/CVE-2021-41865,Denial of Service Vulnerability in HashiCorp Nomad and Nomad Enterprise,HashiCorp Nomad and Nomad Enterprise versions 1.1.1 through 1.1.5 contain a vulnerability that allows authenticated users with job submission capabilities to unintentionally initiate a denial of service. This occurs when incomplete job specifications are submitted through a Consul mesh gateway while using host networking mode. The vulnerability has been addressed in version 1.1.6.,Hashicorp,Nomad,6.5,MEDIUM,0.0008099999977275729,false,,false,false,false,,,false,false,,2021-10-07T13:48:36.000Z,0
CVE-2021-37218,https://securityvulnerability.io/vulnerability/CVE-2021-37218,Privilege Escalation in HashiCorp Nomad and Nomad Enterprise,"The Raft RPC layer in HashiCorp Nomad and Nomad Enterprise has a vulnerability that allows non-server agents with valid certificates, signed by the same Certificate Authority (CA), to access functionalities typically reserved for server-only operations. This could result in unauthorized privilege escalation, potentially compromising the security of deployments. Users should ensure they update to version 1.0.10 or 1.1.4 to mitigate this risk.",Hashicorp,Nomad,8.8,HIGH,0.0010400000028312206,false,,false,false,false,,,false,false,,2021-09-07T11:40:36.000Z,0
CVE-2021-32575,https://securityvulnerability.io/vulnerability/CVE-2021-32575,ARP Spoofing Vulnerability in HashiCorp Nomad and Nomad Enterprise Networking Mode,"The vulnerability in HashiCorp Nomad and Nomad Enterprise allows ARP spoofing due to the bridge networking mode. This issue enables malicious tasks on the same node to intercept network traffic by spoofing ARP requests, potentially compromising sensitive data. The flaw has been addressed in the updates 0.12.12, 1.0.5, and 1.1.0 RC1, emphasizing the importance of keeping your Nomad installation patched to mitigate such risks.",Hashicorp,Nomad,6.5,MEDIUM,0.0006300000241026282,false,,false,false,false,,,false,false,,2021-06-17T18:28:21.000Z,0