Nomad Renderer Arbitrary File Write via Symlink (CVE-2024-1329)
CVE-2024-1329 Published on February 8, 2024
Nomad Vulnerable to Arbitrary Write Through Symlink Attack
HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. This vulnerability, CVE-2024-1329, is fixed in Nomad 1.7.4, 1.6.7, and 1.5.14.
Weakness Type
What is an insecure temporary file Vulnerability?
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CVE-2024-1329 has been classified to as an insecure temporary file vulnerability or weakness.
Products Associated with CVE-2024-1329
Want to know whenever a new CVE is published for HashiCorp Nomad? stack.watch will email you.
Affected Versions
HashiCorp Nomad:- Before and including 1.5.13 is affected.
- Before and including 1.6.6 is affected.
- Before and including 1.7.3 is affected.
- Before and including 1.5.13 is affected.
- Before and including 1.6.6 is affected.
- Before and including 1.7.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.