CVE-2021-43415
HIGH8.8EPSS 0.65%Improper Authentication in HashiCorp Nomad
發布日:2021/12/10修改日:2024/8/21
描述
HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.
受影響套件(2)
- Go/github.com/hashicorp/nomadfrom 0, < 1.0.14
- Go/github.com/hashicorp/nomadfrom 0, < 1.0.14, >= 1.1.0, < 1.1.8, >= 1.2.0, < 1.2.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
參考連結(5)
- ADVISORYhttps://github.com/advisories/GHSA-2jhh-5xm2-j4gf
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-43415
- PATCHhttps://github.com/hashicorp/nomad
- WEBhttps://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288
- WEBhttps://www.hashicorp.com/blog/category/nomad