CVE-2022-24684
https://notcve.org/view.php?id=CVE-2022-24684
HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6. HashiCorp Nomad y Nomad Enterprise versiones 0.9.0 hasta 1.0.16, 1.1.11 y 1.2.5 permiten a los operadores con capacidades de envío de trabajos utilizar la estrofa de propagación para hacer entrar en pánico a los agentes del servidor. Corregido en las versiones 1.0.18, 1.1.12 y 1.2.6. • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-04-nomad-spread-job-stanza-may-trigger-panic-in-servers https://discuss.hashicorp.com/t/hcsec-2022-04-nomad-spread-job-stanza-may-trigger-panic-in-servers/35562 https://security.netapp.com/advisory/ntap-20220318-0008 •
CVE-2022-24686
https://notcve.org/view.php?id=CVE-2022-24686
HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download functionality has a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. Fixed in 1.0.18, 1.1.12, and 1.2.6 La funcionalidad artifact download de HashiCorp Nomad y Nomad Enterprise versiones 0.3.0 hasta 1.0.17, 1.1.11 y 1.2.5, presenta una condición de carrera que hace que el agente cliente de Nomad pueda descargar el artefacto equivocado en el destino equivocado. Corregido en versiones 1.0.18, 1.1.12 y 1.2.6 • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-01-nomad-artifact-download-race-condition/35559 https://security.netapp.com/advisory/ntap-20220318-0008 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2021-43415
https://notcve.org/view.php?id=CVE-2021-43415
HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1. HashiCorp Nomad y Nomad Enterprise versiones hasta 1.0.13, 1.1.7 y 1.2.0, con el controlador de tareas QEMU habilitado, permitía a usuarios autenticados con capacidad de envío de trabajos omitir las rutas de imagen permitidas configuradas. Corregido en versiones 1.0.14, 1.1.8 y 1.2.1 • https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288 https://www.hashicorp.com/blog/category/nomad •
CVE-2021-37218
https://notcve.org/view.php?id=CVE-2021-37218
HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.0.10 and 1.1.4. La capa RPC de HashiCorp Nomad y Nomad Enterprise Raft permite a agentes no servidores con un certificado válido firmado por la misma CA acceder a la funcionalidad server-only, permitiendo una escalada de privilegios. Corregido en versiones 1.0.10 y 1.1.4 • https://discuss.hashicorp.com/t/hcsec-2021-21-nomad-raft-rpc-privilege-escalation/29023 https://www.hashicorp.com/blog/category/nomad • CWE-295: Improper Certificate Validation •
CVE-2021-32575
https://notcve.org/view.php?id=CVE-2021-32575
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1. HashiCorp Nomad y Nomad Enterprise versiones hasta 1.0.4, el modo de red bridge permite la suplantación de ARP desde otras tareas de bridged en el mismo nodo. Corregido en versiones 0.12.12, 1.0.5 y 1.1.0 RC1 • https://discuss.hashicorp.com/t/hcsec-2021-14-nomad-bridge-networking-mode-allows-arp-spoofing-from-other-bridged-tasks-on-same-node/24296 https://www.hashicorp.com/blog/category/nomad •