x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-2w5v-x29g-jw7j

[GoVulnBot]

Advisory GHSA-2w5v-x29g-jw7j references a vulnerability in the following Go modules:

Module
github.com/hashicorp/nomad

Description:
Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15.

References:

• ADVISORY: GHSA-2w5v-x29g-jw7j
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-10975
• FIX: hashicorp/nomad@30849c5
• WEB: https://discuss.hashicorp.com/t/hcsec-2024-27-nomad-vulnerable-to-cross-namespace-volume-creation-abusing-csi-write-permission

Cross references:

• github.com/hashicorp/nomad appears in 27 other report(s):
  • data/reports/GO-2022-0560.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-6jm6-cmcp-fqjq #560)
  • data/reports/GO-2022-0573.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-2jhh-5xm2-j4gf #573)
  • data/reports/GO-2022-0577.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-3382-r9q8-4hfg #577)
  • data/reports/GO-2022-0584.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-wmrx-57hm-mw7r #584)
  • data/reports/GO-2022-0591.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-c8x3-rg72-fwwg #591)
  • data/reports/GO-2022-0600.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-gwmc-6795-qghj #600)
  • data/reports/GO-2022-0622.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-35qp-xq9f-2rjx #622)
  • data/reports/GO-2022-0634.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad/client/allocrunner/taskrunner/template: GHSA-6hv3-7c34-4hx8 #634)
  • data/reports/GO-2022-0709.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-vf6q-9f2f-mwhv #709)
  • data/reports/GO-2022-0732.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-526x-rm7j-v389 #732)
  • data/reports/GO-2022-0770.yaml (x/vulndb: potential Go vuln in github.com/binance-chain/tss-lib/ecdsa/keygen: GHSA-5x92-p4p5-33c4 #770 #770)
  • data/reports/GO-2022-0806.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad/client/allocrunner/taskrunner/template: GHSA-77cr-6gr8-7rr9 #806)
  • data/reports/GO-2022-0821.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-cj2h-ww36-v932 #821)
  • data/reports/GO-2022-0840.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad/command/agent: GHSA-h43v-26r7-7j4c #840)
  • data/reports/GO-2022-1062.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-7v3g-4878-5qrf #1062)
  • data/reports/GO-2022-1105.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-7wg4-8m5p-hrfg #1105)
  • data/reports/GO-2022-1106.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-9fmc-5fq4-5jwh #1106)
  • data/reports/GO-2023-1581.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-w479-w22g-cffh #1581)
  • data/reports/GO-2023-1633.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-rqm8-q8j9-662f #1633)
  • data/reports/GO-2023-1707.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-f8r8-h93m-mj77 #1707)
  • data/reports/GO-2023-1899.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-hhvx-8755-4cvw #1899)
  • data/reports/GO-2023-1928.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-2w2v-xcr9-mj4m #1928)
  • data/reports/GO-2024-2538.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-c866-8gpw-p3mv #2538)
  • data/reports/GO-2024-2669.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-9jfx-84v9-2rr2 #2669)
  • data/reports/GO-2024-2670.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-rpvr-38xv-xvxq #2670)
  • data/reports/GO-2024-2671.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-v5fm-hr72-27hx #2671)
  • data/reports/GO-2024-3073.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-25qx-vfw2-fw8r #3073)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp/nomad
      vulnerable_at: 1.9.1
summary: Hashicorp Nomad Incorrect Authorization vulnerability in github.com/hashicorp/nomad
cves:
    - CVE-2024-10975
ghsas:
    - GHSA-2w5v-x29g-jw7j
references:
    - advisory: https://github.com/advisories/GHSA-2w5v-x29g-jw7j
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-10975
    - fix: https://github.com/hashicorp/nomad/commit/30849c518e16647a4f698e5f5cc82bef2bf40e4d
    - web: https://discuss.hashicorp.com/t/hcsec-2024-27-nomad-vulnerable-to-cross-namespace-volume-creation-abusing-csi-write-permission
source:
    id: GHSA-2w5v-x29g-jw7j
    created: 2024-11-07T23:01:24.335294152Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/626556 mentions this issue: data/reports: add 2 unreviewed reports