CVE-2024-7625

EUVD-2024-2459

15.08.2024, 00:15

In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of allocation directories when multiple archive headers target the same file. This vulnerability, CVE-2024-7625, is fixed in Nomad 1.6.14, 1.7.11, and 1.8.3. Access or compromise of the Nomad client agent at the source allocation first is a prerequisite for leveraging this vulnerability.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.8 MEDIUM	NETWORK	HIGH	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
HashiCorp	CNA	5.8 MEDIUM				CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 52%

Affected Products (NVD)

Vendor	Product	Version
hashicorp	nomad	0.6.1 ≤ 𝑥 < 1.6.14
hashicorp	nomad	0.6.1 ≤ 𝑥 < 1.6.14
hashicorp	nomad	1.7.0 ≤ 𝑥 < 1.7.11
hashicorp	nomad	1.7.0 ≤ 𝑥 < 1.7.11
hashicorp	nomad	1.8.0 ≤ 𝑥 ≤ 1.8.3
hashicorp	nomad	1.8.0 ≤ 𝑥 < 1.8.3

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

nomad

bionic	needs-triage
focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

Common Weakness Enumeration

CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

References

https://discuss.hashicorp.com/t/hcsec-2024-17-nomad-vulnerable-to-allocation-directory-escape-on-non-existing-file-paths-through-archive-unpacking/69293