CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-24683
https://notcve.org/view.php?id=CVE-2022-24683
HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root. HashiCorp Nomad y Nomad Enterprise versiones 0.9.2 hasta 1.0.17, 1.1.11 y 1.2.5 permiten a operadores con capacidades read-fs y alloc-exec (o job-submit) leer archivos arbitrarios en el sistema de archivos del host como root • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/35560 https://security.netapp.com/advisory/ntap-20220318-0008 •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-24684
https://notcve.org/view.php?id=CVE-2022-24684
HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6. HashiCorp Nomad y Nomad Enterprise versiones 0.9.0 hasta 1.0.16, 1.1.11 y 1.2.5 permiten a los operadores con capacidades de envío de trabajos utilizar la estrofa de propagación para hacer entrar en pánico a los agentes del servidor. Corregido en las versiones 1.0.18, 1.1.12 y 1.2.6. • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-04-nomad-spread-job-stanza-may-trigger-panic-in-servers https://discuss.hashicorp.com/t/hcsec-2022-04-nomad-spread-job-stanza-may-trigger-panic-in-servers/35562 https://security.netapp.com/advisory/ntap-20220318-0008 •
CVSS: 5.9EPSS: 0%CPEs: 6EXPL: 0CVE-2022-24686
https://notcve.org/view.php?id=CVE-2022-24686
HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download functionality has a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. Fixed in 1.0.18, 1.1.12, and 1.2.6 La funcionalidad artifact download de HashiCorp Nomad y Nomad Enterprise versiones 0.3.0 hasta 1.0.17, 1.1.11 y 1.2.5, presenta una condición de carrera que hace que el agente cliente de Nomad pueda descargar el artefacto equivocado en el destino equivocado. Corregido en versiones 1.0.18, 1.1.12 y 1.2.6 • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-01-nomad-artifact-download-race-condition/35559 https://security.netapp.com/advisory/ntap-20220318-0008 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-45042
https://notcve.org/view.php?id=CVE-2021-45042
In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0. En HashiCorp Vault y Vault Enterprise versiones anteriores a 1.7.7, 1.8.x anteriores a 1.8.6 y 1.9.x anteriores a 1.9.1, los clusters que usaban el backend de almacenamiento integrado permitían a un usuario autenticado (con permisos de escritura en un motor de secretos kv) causar un pánico y una denegación de servicio del backend de almacenamiento. La primera versión afectada es la 1.4.0 • https://discuss.hashicorp.com/t/hcsec2-21-33-vault-s-kv-secrets-engine-with-integrated-storage-exposed-to-authenticated-denial-of-service/33157 https://security.gentoo.org/glsa/202207-01 https://www.hashicorp.com/blog/category/vault •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2021-41805
https://notcve.org/view.php?id=CVE-2021-41805
HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace. HashiCorp Consul Enterprise versiones anteriores a 1.8.17, 1.9.x anteriores a 1.9.11 y 1.10.x anteriores a 1.10.4, presenta un Control de Acceso Incorrecto. Un token ACL (con el operador predeterminado: permisos de escritura) en un espacio de nombres puede ser usado para una escalada de privilegios no intencionada en un espacio de nombres diferente • https://github.com/blackm4c/CVE-2021-41805 https://discuss.hashicorp.com/t/hcsec-2021-29-consul-enterprise-namespace-default-acls-allow-privilege-escalation/31871 https://security.netapp.com/advisory/ntap-20211229-0007 https://www.hashicorp.com/blog/category/consul • CWE-863: Incorrect Authorization •