CVE-2024-1329
HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. This vulnerability, CVE-2024-1329, is fixed in Nomad 1.7.4, 1.6.7, and 1.5.14.
| Software | From | Fixed in |
|---|---|---|
github.com/hashicorp/nomad
|
1.5.13 | 1.5.13.x |
|
github.com/hashicorp/nomad
|
1.5.13 | 1.5.14 |
|
github.com/hashicorp/nomad
|
1.6.0 | 1.6.7 |
|
github.com/hashicorp/nomad
|
1.7.3 | 1.7.3.x |
|
github.com/hashicorp/nomad
|
1.7.3 | 1.7.4 |
| hashicorp / nomad | 1.7.3. | 1.7.4 |
| hashicorp / nomad | 1.6.6 | 1.6.7 |
| hashicorp / nomad | 1.5.13 | 1.5.14 |
- https://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack
- https://github.com/hashicorp/nomad/commit/b3209cbc6921e703b0e9984ce70c10b378665834
- https://github.com/hashicorp/nomad/commit/d1721c7a6fc1833778086603f818a822a34f445a
- https://github.com/hashicorp/nomad/commit/de55da677a21ac7572c0f4a8cd9abd5473c47a70
- https://github.com/hashicorp/nomad/issues/19888
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime