Vulnerability Details CVE-2021-43415
HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 45.8%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.0
References
- https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288
- https://www.hashicorp.com/blog/category/nomad
- https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288
- https://www.hashicorp.com/blog/category/nomad
Products affected by CVE-2021-43415
-
cpe:2.3:a:hashicorp:nomad:1.0.0
-
cpe:2.3:a:hashicorp:nomad:1.0.1
-
cpe:2.3:a:hashicorp:nomad:1.0.10
-
cpe:2.3:a:hashicorp:nomad:1.0.11
-
cpe:2.3:a:hashicorp:nomad:1.0.12
-
cpe:2.3:a:hashicorp:nomad:1.0.13
-
cpe:2.3:a:hashicorp:nomad:1.0.2
-
cpe:2.3:a:hashicorp:nomad:1.0.3
-
cpe:2.3:a:hashicorp:nomad:1.0.4
-
cpe:2.3:a:hashicorp:nomad:1.0.5
-
cpe:2.3:a:hashicorp:nomad:1.0.6
-
cpe:2.3:a:hashicorp:nomad:1.0.7
-
cpe:2.3:a:hashicorp:nomad:1.0.8
-
cpe:2.3:a:hashicorp:nomad:1.1.0
-
cpe:2.3:a:hashicorp:nomad:1.1.1
-
cpe:2.3:a:hashicorp:nomad:1.1.2
-
cpe:2.3:a:hashicorp:nomad:1.1.3
-
cpe:2.3:a:hashicorp:nomad:1.1.4
-
cpe:2.3:a:hashicorp:nomad:1.1.5
-
cpe:2.3:a:hashicorp:nomad:1.1.6
-
cpe:2.3:a:hashicorp:nomad:1.1.7
-
cpe:2.3:a:hashicorp:nomad:1.2.0