x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-hr68-hvgv-xxqf

[GoVulnBot]

Advisory GHSA-hr68-hvgv-xxqf references a vulnerability in the following Go modules:

Module
github.com/hashicorp/nomad

Description:
Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.

References:

• ADVISORY: GHSA-hr68-hvgv-xxqf
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-12678
• FIX: hashicorp/nomad@359a718
• WEB: https://discuss.hashicorp.com/t/hcsec-2024-29-nomad-allocations-vulnerable-to-privilege-escalation-within-a-namespace-using-unredacted-workload-identity-token/72119

Cross references:

• github.com/hashicorp/nomad appears in 28 other report(s):
  • data/reports/GO-2022-0560.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-6jm6-cmcp-fqjq #560)
  • data/reports/GO-2022-0573.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-2jhh-5xm2-j4gf #573)
  • data/reports/GO-2022-0577.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-3382-r9q8-4hfg #577)
  • data/reports/GO-2022-0584.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-wmrx-57hm-mw7r #584)
  • data/reports/GO-2022-0591.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-c8x3-rg72-fwwg #591)
  • data/reports/GO-2022-0600.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-gwmc-6795-qghj #600)
  • data/reports/GO-2022-0622.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-35qp-xq9f-2rjx #622)
  • data/reports/GO-2022-0634.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad/client/allocrunner/taskrunner/template: GHSA-6hv3-7c34-4hx8 #634)
  • data/reports/GO-2022-0709.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-vf6q-9f2f-mwhv #709)
  • data/reports/GO-2022-0732.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-526x-rm7j-v389 #732)
  • data/reports/GO-2022-0770.yaml (x/vulndb: potential Go vuln in github.com/binance-chain/tss-lib/ecdsa/keygen: GHSA-5x92-p4p5-33c4 #770 #770)
  • data/reports/GO-2022-0806.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad/client/allocrunner/taskrunner/template: GHSA-77cr-6gr8-7rr9 #806)
  • data/reports/GO-2022-0821.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-cj2h-ww36-v932 #821)
  • data/reports/GO-2022-0840.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad/command/agent: GHSA-h43v-26r7-7j4c #840)
  • data/reports/GO-2022-1062.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-7v3g-4878-5qrf #1062)
  • data/reports/GO-2022-1105.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-7wg4-8m5p-hrfg #1105)
  • data/reports/GO-2022-1106.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-9fmc-5fq4-5jwh #1106)
  • data/reports/GO-2023-1581.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-w479-w22g-cffh #1581)
  • data/reports/GO-2023-1633.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-rqm8-q8j9-662f #1633)
  • data/reports/GO-2023-1707.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-f8r8-h93m-mj77 #1707)
  • data/reports/GO-2023-1899.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-hhvx-8755-4cvw #1899)
  • data/reports/GO-2023-1928.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-2w2v-xcr9-mj4m #1928)
  • data/reports/GO-2024-2538.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-c866-8gpw-p3mv #2538)
  • data/reports/GO-2024-2669.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-9jfx-84v9-2rr2 #2669)
  • data/reports/GO-2024-2670.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-rpvr-38xv-xvxq #2670)
  • data/reports/GO-2024-2671.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-v5fm-hr72-27hx #2671)
  • data/reports/GO-2024-3073.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-25qx-vfw2-fw8r #3073)
  • data/reports/GO-2024-3262.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-2w5v-x29g-jw7j #3262)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp/nomad
      versions:
        - fixed: 1.9.4
      vulnerable_at: 1.9.3
summary: Hashicorp Nomad Incorrect Privilege Assignment vulnerability in github.com/hashicorp/nomad
cves:
    - CVE-2024-12678
ghsas:
    - GHSA-hr68-hvgv-xxqf
references:
    - advisory: https://github.com/advisories/GHSA-hr68-hvgv-xxqf
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-12678
    - fix: https://github.com/hashicorp/nomad/commit/359a71861ef044cb5d749a36ff0e44b172c8f1a6
    - web: https://discuss.hashicorp.com/t/hcsec-2024-29-nomad-allocations-vulnerable-to-privilege-escalation-within-a-namespace-using-unredacted-workload-identity-token/72119
source:
    id: GHSA-hr68-hvgv-xxqf
    created: 2024-12-20T16:01:15.143773562Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/638116 mentions this issue: data/reports: add 6 unreviewed reports

[gopherbot]

Change https://go.dev/cl/637956 mentions this issue: data/reports: add 6 unreviewed reports