CVE-2021-43415

NameCVE-2021-43415
DescriptionHashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1021273

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nomadsource(unstable)(unfixed)1021273

Notes

https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288
https://github.com/hashicorp/nomad/issues/11542
https://github.com/hashicorp/nomad/pull/11554
https://github.com/hashicorp/nomad/commit/40de248b940eb7babbd4a08ebe9d6874758f5285 (v1.2.1)

Search for package or bug name: Reporting problems