CVE-2020-28348: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

February 15, 2022 (updated July 16, 2022)

HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type. Fixed in 0.12.8, 0.11.7, and 0.10.8.

References

discuss.hashicorp.com/t/nomad-0-12-8-0-11-7-and-0-10-8-released/17491
github.com/advisories/GHSA-5x92-p4p5-33c4
github.com/hashicorp/nomad/blob/master/CHANGELOG.md
github.com/hashicorp/nomad/issues/9303
github.com/hashicorp/nomad/pull/9321
nvd.nist.gov/vuln/detail/CVE-2020-28348

Detect and mitigate CVE-2020-28348 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →