PT-2022-3351 · Hashicorp · Nomad Enterprise+1

Published

2022-05-24

Updated

2024-08-21

CVE-2022-30324

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions HashiCorp Nomad and Nomad Enterprise versions 0.2.0 through 1.3.0

Description The issue is related to insufficient access control in the go-getter library used by the Nomad application orchestrator, specifically when utilizing the artifact stanza structure. This can allow a remote attacker to escalate their privileges. The vulnerability enables privilege escalation through the artifact stanza in submitted jobs onto the client agent host.

Recommendations For versions 0.2.0 through 1.0.x, update to version 1.1.14. For versions 1.1.x, update to version 1.1.14. For versions 1.2.x, update to version 1.2.8. For versions 1.3.x, update to version 1.3.1. As a temporary workaround, consider restricting access to the artifact stanza in submitted jobs to minimize the risk of exploitation.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-264

Related Identifiers

BDU:2022-04109

CVE-2022-30324

GHSA-526X-RM7J-V389

GO-2022-0732

Affected Products

Hashicorp Nomad

Nomad Enterprise

PT-2022-3351 · Hashicorp · Nomad Enterprise+1

CVE-2022-30324

Weakness Enumeration

Related Identifiers

Affected Products

References · 15