Main Vulnerability Database SB20241022352

SB20241022352 - Security restrictions bypass in Nomad

Published: October 22, 2024

Security Bulletin ID SB20241022352

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: N/A)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of case-sensitive characters in Client FS API. A local user with read-fs permissions but not alloc-exec permissions to read files from the secrets dir.

Note, the vulnerability affects installations on case-insensitive file systems, such as Windows, macOS, and Linux with obscure ext4 options enabled.

Remediation

Install update from vendor's website.

References

https://github.com/hashicorp/nomad/releases/tag/v1.9.1
https://github.com/hashicorp/nomad/pull/24125