File tree 2 files changed +128
-0
lines changed
2 files changed +128
-0
lines changed Original file line number Diff line number Diff line change 1+ {
2+ "schema_version" : " 1.3.1"
3+ "id" : " GO-2024-2538"
4+ "modified" : " 0001-01-01T00:00:00Z"
5+ "published" : " 0001-01-01T00:00:00Z"
6+ "aliases" : [
7+ " CVE-2024-1329"
8+ " GHSA-c866-8gpw-p3mv"
9+ ],
10+ "summary" : " Symlink attack in github.com/hashicorp/nomad"
11+ "details" : " Symlink attack in github.com/hashicorp/nomad"
12+ "affected" : [
13+ {
14+ "package" : {
15+ "name" : " github.com/hashicorp/nomad"
16+ "ecosystem" : " Go"
17+ },
18+ "ranges" : [
19+ {
20+ "type" : " SEMVER"
21+ "events" : [
22+ {
23+ "introduced" : " 1.5.13"
24+ },
25+ {
26+ "fixed" : " 1.5.14"
27+ },
28+ {
29+ "introduced" : " 1.6.0"
30+ },
31+ {
32+ "fixed" : " 1.6.7"
33+ },
34+ {
35+ "introduced" : " 1.7.3"
36+ },
37+ {
38+ "fixed" : " 1.7.4"
39+ }
40+ ]
41+ }
42+ ],
43+ "ecosystem_specific" : {
44+ "imports" : [
45+ {
46+ "path" : " github.com/hashicorp/nomad/helper/escapingfs"
47+ "symbols" : [
48+ " PathEscapesAllocDir"
49+ " pathEscapesBaseViaSymlink"
50+ ]
51+ },
52+ {
53+ "path" : " github.com/hashicorp/nomad/client/allocwatcher"
54+ "symbols" : [
55+ " remotePrevAlloc.Migrate"
56+ " remotePrevAlloc.migrateAllocDir"
57+ " remotePrevAlloc.streamAllocDir"
58+ ]
59+ }
60+ ]
61+ }
62+ }
63+ ],
64+ "references" : [
65+ {
66+ "type" : " ADVISORY"
67+ "url" : " https://nvd.nist.gov/vuln/detail/CVE-2024-1329"
68+ },
69+ {
70+ "type" : " REPORT"
71+ "url" : " https://github.com/hashicorp/nomad/issues/19888"
72+ },
73+ {
74+ "type" : " FIX"
75+ "url" : " https://github.com/hashicorp/nomad/commit/b3209cbc6921e703b0e9984ce70c10b378665834"
76+ },
77+ {
78+ "type" : " FIX"
79+ "url" : " https://github.com/hashicorp/nomad/commit/d1721c7a6fc1833778086603f818a822a34f445a"
80+ },
81+ {
82+ "type" : " FIX"
83+ "url" : " https://github.com/hashicorp/nomad/commit/de55da677a21ac7572c0f4a8cd9abd5473c47a70"
84+ },
85+ {
86+ "type" : " WEB"
87+ "url" : " https://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack"
88+ }
89+ ],
90+ "database_specific" : {
91+ "url" : " https://pkg.go.dev/vuln/GO-2024-2538"
92+ }
93+ }
Original file line number Diff line number Diff line change 1+ id : GO-2024-2538
2+ modules :
3+ - module : github.com/hashicorp/nomad
4+ versions :
5+ - introduced : 1.5.13
6+ fixed : 1.5.14
7+ - introduced : 1.6.0
8+ fixed : 1.6.7
9+ - introduced : 1.7.3
10+ fixed : 1.7.4
11+ vulnerable_at : 1.7.3
12+ packages :
13+ - package : github.com/hashicorp/nomad/helper/escapingfs
14+ symbols :
15+ - pathEscapesBaseViaSymlink
16+ derived_symbols :
17+ - PathEscapesAllocDir
18+ - package : github.com/hashicorp/nomad/client/allocwatcher
19+ symbols :
20+ - remotePrevAlloc.streamAllocDir
21+ - remotePrevAlloc.migrateAllocDir
22+ derived_symbols :
23+ - remotePrevAlloc.Migrate
24+ summary : Symlink attack in github.com/hashicorp/nomad
25+ cves :
26+ - CVE-2024-1329
27+ ghsas :
28+ - GHSA-c866-8gpw-p3mv
29+ references :
30+ - advisory : https://nvd.nist.gov/vuln/detail/CVE-2024-1329
31+ - report : https://github.com/hashicorp/nomad/issues/19888
32+ - fix : https://github.com/hashicorp/nomad/commit/b3209cbc6921e703b0e9984ce70c10b378665834
33+ - fix : https://github.com/hashicorp/nomad/commit/d1721c7a6fc1833778086603f818a822a34f445a
34+ - fix : https://github.com/hashicorp/nomad/commit/de55da677a21ac7572c0f4a8cd9abd5473c47a70
35+ - web : https://discuss.hashicorp.com/t/hcsec-2024-03-nomad-vulnerable-to-arbitrary-write-through-symlink-attack
You can’t perform that action at this time.
0 commit comments