HashiCorp Nomad and Nomad Enterprise Path Traversal Vulnerability Leading to Code Execution

A path traversal vulnerability allowing code execution on the client host has been identified in HashiCorp Nomad and Nomad Enterprise versions prior to 2.0.1. This issue arises in the Dynamic Host Volumes feature, where authorized users can create volumes on the client host. A user with host-volume-create permission and read access to nodes can exploit this vulnerability by submitting a host-volume create request that traverses out of the plugin directory, executing a non-plugin executable as the same user as the Nomad agent.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the client host, executed as the same user as the Nomad agent, which is likely to be root.

Remediation

Users are advised to upgrade to HashiCorp Nomad version 2.0.1, or for Nomad Enterprise, to versions 2.0.1, 1.11.5, or 1.10.11. Nomad Enterprise customers unable to upgrade can implement a Sentinel policy to disable external plugins, allowing only the built-in 'mkdir' plugin.