CVE-2020-28348

EPSS 0.49%
Published 24.11.2020 03:15:13
Last modified 21.11.2024 05:22:38
Source cve@mitre.org
Teams watchlist Login
Open Login

HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type. Fixed in 0.12.8, 0.11.7, and 0.10.8.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Hashicorp ≫ Nomad SwEditionenterprise Version >= 0.9.0 < 0.10.8

Hashicorp ≫ Nomad SwEditionenterprise Version >= 0.11.0 < 0.11.7

Hashicorp ≫ Nomad SwEditionenterprise Version >= 0.12.0 < 0.12.8

Hashicorp ≫ Nomad SwEdition- Version >= 0.9.0 < 0.10.8

Hashicorp ≫ Nomad SwEdition- Version >= 0.11.0 < 0.11.7

Hashicorp ≫ Nomad SwEdition- Version >= 0.12.0 < 0.12.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.49%	0.646

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	6.3	6.8	6.9	AV:N/AC:M/Au:S/C:C/I:N/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/hashicorp/nomad/blob/master/CHANGELOG.md#0128-november-10-2020

Third Party Advisory

Release Notes

https://github.com/hashicorp/nomad/issues/9303

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2020-28348

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-28348

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-28348

EUVD