CVE-2021-43415

high

Description

HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.

References

https://www.hashicorp.com/blog/category/nomad

https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288

Details

Source: Mitre, NVD

Published: 2021-12-03

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 6

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00229

Detections

Analytics