CVE-2024-10975: Hashicorp Nomad Incorrect Authorization vulnerability

November 7, 2024 (updated November 8, 2024)

Nomad Community and Nomad Enterprise (“Nomad”) volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15.

References

discuss.hashicorp.com/t/hcsec-2024-27-nomad-vulnerable-to-cross-namespace-volume-creation-abusing-csi-write-permission
github.com/advisories/GHSA-2w5v-x29g-jw7j
github.com/hashicorp/nomad
github.com/hashicorp/nomad/commit/30849c518e16647a4f698e5f5cc82bef2bf40e4d
nvd.nist.gov/vuln/detail/CVE-2024-10975

Detect and mitigate CVE-2024-10975 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →