CVE-2024-1329

Summary

HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. This vulnerability, CVE-2024-1329, is fixed in Nomad 1.7.4, 1.6.7, and 1.5.14.

Affected Software

VendorProductVersion RangeStatus
HashiCorpNomad0 <= 1.5.13affected
HashiCorpNomad0 <= 1.6.6affected
HashiCorpNomad0 <= 1.7.3affected
HashiCorpNomad Enterprise0 <= 1.5.13affected
HashiCorpNomad Enterprise0 <= 1.6.6affected
HashiCorpNomad Enterprise0 <= 1.7.3affected

Weaknesses

  • CWE-59: CWE-59: Improper Link Resolution Before File Access (Link Following)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References