CVE-2024-1329
HIGH7.7EPSS 0.33%HashiCorp Nomad vulnerable to symlink attacks
發布日:2024/2/8修改日:2024/9/26
描述
HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. Fixed in Nomad 1.7.4, 1.6.7, 1.5.14.
受影響套件(2)
- Go/github.com/hashicorp/nomad>= 1.5.13, < 1.5.14
- Go/github.com/hashicorp/nomad>= 1.5.13, < 1.5.14, >= 1.6.0, < 1.6.7, >= 1.7.3, < 1.7.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.7 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-1329
- PATCHhttps://github.com/hashicorp/nomad
- WEBhttps://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack
- WEBhttps://github.com/hashicorp/nomad/commit/b3209cbc6921e703b0e9984ce70c10b378665834
- WEBhttps://github.com/hashicorp/nomad/commit/d1721c7a6fc1833778086603f818a822a34f445a
- WEBhttps://github.com/hashicorp/nomad/commit/de55da677a21ac7572c0f4a8cd9abd5473c47a70
- WEBhttps://github.com/hashicorp/nomad/issues/19888