Bypass of Configured Allowed Image Paths in HashiCorp Nomad

Bypass of Configured Allowed Image Paths in HashiCorp Nomad

CVE-2021-43415 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.

Learn more about our User Device Pen Test.