CVE-2024-1329

EPSS 0.29%
Published 08.02.2024 20:15:52
Last modified 21.11.2024 08:50:20
Source security@hashicorp.com
Teams watchlist Login
Open Login

HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. This vulnerability, CVE-2024-1329, is fixed in Nomad 1.7.4, 1.6.7, and 1.5.14.

Affected products Warnungen 0 Metrics 3 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Hashicorp ≫ Nomad SwEdition- Version >= 1.5.13 < 1.5.14

Hashicorp ≫ Nomad SwEdition- Version >= 1.6.6 < 1.6.7

Hashicorp ≫ Nomad SwEdition- Version >= 1.7.3. < 1.7.4

Hashicorp ≫ Nomad SwEditionenterprise Version >= 1.5.13 < 1.5.14

Hashicorp ≫ Nomad SwEditionenterprise Version >= 1.6.6 < 1.6.7

Hashicorp ≫ Nomad SwEditionenterprise Version >= 1.7.3. < 1.7.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.29%	0.515

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security@hashicorp.com	7.7	1.3	5.8	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

CWE-610 Externally Controlled Reference to a Resource in Another Sphere

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

https://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-1329

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-1329

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-1329

EUVD