CVE-2023-3072 – Nomad ACL Policies without Label are Applied to Unexpected Resources
https://notcve.org/view.php?id=CVE-2023-3072
HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11. • https://discuss.hashicorp.com/t/hcsec-2023-20-nomad-acl-policies-without-label-are-applied-to-unexpected-resources/56270 • CWE-266: Incorrect Privilege Assignment CWE-862: Missing Authorization •
CVE-2023-0821 – Nomad Client Vulnerable to Decompression Bombs in Artifact Block
https://notcve.org/view.php?id=CVE-2023-0821
HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4. • https://discuss.hashicorp.com/t/hcsec-2023-05-nomad-client-vulnerable-to-decompression-bombs-in-artifact-block/50292 • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •
CVE-2022-41606
https://notcve.org/view.php?id=CVE-2022-41606
HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0. Los trabajos de HashiCorp Nomad y Nomad Enterprise versiones 1.0.2 hasta 1.2.12, y 1.3.5, enviados con una estrofa de artefacto usando URLs S3 o GCS no válidas pueden ser usados para bloquear los agentes cliente. Corregido en versiones 1.2.13, 1.3.6 y 1.4.0 • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-22-nomad-panics-on-job-submission-with-bad-artifact-stanza-source-url/45420 •
CVE-2022-30324
https://notcve.org/view.php?id=CVE-2022-30324
HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were impacted by go-getter vulnerabilities enabling privilege escalation through the artifact stanza in submitted jobs onto the client agent host. Fixed in 1.1.14, 1.2.8, and 1.3.1. HashiCorp Nomad y Nomad Enterprise versiones 0.2.0 hasta 1.3.0, fueron impactados por vulnerabilidades de go-getter que permiten una escalada de privilegios mediante la estrofa de artefactos en los trabajos enviados en el host del agente cliente. Corregido en versiones 1.1.14, 1.2.8 y 1.3.1 • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-14-nomad-impacted-by-go-getter-vulnerabilities/39932 •