CVE-2024-1329

Externally Controlled Reference to a Resource in Another Sphere in go/github.com/hashicorp/nomad

Identifiers

GHSA-c866-8gpw-p3mv, CVE-2024-1329

Package Slug

go/github.com/hashicorp/nomad

Vulnerability

Externally Controlled Reference to a Resource in Another Sphere

Description

HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. Fixed in Nomad 1.7.4, 1.6.7, 1.5.14.

Affected Versions

Version 1.5.13, all versions starting from 1.6.0 up to 1.6.6, version 1.7.3

Solution

Upgrade to versions 1.5.14, 1.6.7, 1.7.4 or above.

Last Modified

2024-02-12

source