CVE-2024-7625

CVSS V2 None CVSS V3 None

Description

In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.16.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of allocation directories when multiple archive headers target the same file. This vulnerability, CVE-2024-7625, is fixed in Nomad 1.6.14, 1.7.11, and 1.8.3. Access or compromise of the Nomad client agent at the source allocation first is a prerequisite for leveraging this vulnerability.

Overview

CVE ID
CVE-2024-7625

Assigner
HashiCorp

Vulnerability Status
PUBLISHED

Published Version
2024-08-14T23:20:17.888Z

Last Modified Date
2024-08-14T23:20:17.888Z

Weakness Enumerations

CWE	URL
CWE-610	http://cwe.mitre.org/data/definitions/610.html

References

Reference URL	Reference Tags
https://discuss.hashicorp.com/t/hcsec-2024-17-nomad-vulnerable-to-allocation-directory-escape-on-non-existing-file-paths-through-archive-unpacking/69293

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-7625
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7625

History

Created	Old Value	New Value	Data Type	Notes
2024-08-15 13:07:12				Added to TrackCVE