CVE-2020-28348
MEDIUM6.5EPSS 0.44%Path Traversal in HashiCorp Nomad
Published: 2/15/2022Modified: 8/21/2024
Description
HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature (github.com/hashicorp/nomad/drivers/docker) may be subverted when not explicitly disabled or when using a volume mount type. Fixed in 0.12.8, 0.11.7, and 0.10.8.
Affected packages (2)
- Go/github.com/hashicorp/nomad>= 0.9.0, < 0.10.8
- Go/github.com/hashicorp/nomad>= 0.9.0, < 0.10.8, >= 0.11.0-beta1, < 0.11.7, >= 0.12.0-beta1, < 0.12.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References (6)
- ADVISORYhttps://github.com/advisories/GHSA-5x92-p4p5-33c4
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-28348
- WEBhttps://discuss.hashicorp.com/t/nomad-0-12-8-0-11-7-and-0-10-8-released/17491
- WEBhttps://github.com/hashicorp/nomad/blob/master/CHANGELOG.md#0128-november-10-2020
- WEBhttps://github.com/hashicorp/nomad/issues/9303
- WEBhttps://github.com/hashicorp/nomad/pull/9321