CVE-2022-41606
MEDIUM6.5EPSS 0.41%Nomad Panics On Job Submission With Bad Artifact Stanza Source URL
Published: 10/12/2022Modified: 5/20/2025
Description
HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0.
Affected packages (2)
- Go/github.com/hashicorp/nomadfrom 0, < 1.2.13
- Go/github.com/hashicorp/nomadfrom 0, < 1.2.13, >= 1.3.0, < 1.3.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
References (6)
- ADVISORYhttps://github.com/advisories/GHSA-7v3g-4878-5qrf
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-41606
- PATCHhttps://github.com/hashicorp/nomad
- WEBhttps://discuss.hashicorp.com
- WEBhttps://discuss.hashicorp.com/t/hcsec-2022-22-nomad-panics-on-job-submission-with-bad-artifact-stanza-source-url/45420
- WEBhttps://pkg.go.dev/vuln/GO-2022-1062