Arbitrary file reads in HashiCorp Nomad
High severity
GitHub Reviewed
Published
Feb 18, 2022
to the GitHub Advisory Database
•
Updated Apr 21, 2023
Package
Affected versions
>= 0.9.2, < 1.0.18
>= 1.1.0, < 1.1.12
>= 1.2.0, < 1.2.6
Patched versions
1.0.18
1.1.12
1.2.6
Description
Published by the National Vulnerability Database
Feb 17, 2022
Published to the GitHub Advisory Database
Feb 18, 2022
Reviewed
Mar 1, 2022
Last updated
Apr 21, 2023
Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root. There are currently no known workarounds. Users are recommended to upgrade as soon as possible to avoid this issue.
References