Main Vulnerability Database SB2020111218

SB2020111218 - Path traversal in HashiCorp Nomad

Published: November 12, 2020

Security Bulletin ID SB2020111218

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2020-28348)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to File Sandbox Escape via Container Volume Mount. A remote authenticated attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Remediation

Install update from vendor's website.

References

https://discuss.hashicorp.com/t/nomad-0-12-8-0-11-7-and-0-10-8-released/17491
https://github.com/hashicorp/nomad/blob/master/CHANGELOG.md#0128-november-10-2020