Hashicorp Nomad is vulnerable to Denial of Service (DOS). The vulnerability exists due to the lack of GCS URLs
validation in the NewGetter
function of getter.go
which allows an attacker to cause an application crash.
discuss.hashicorp.com
discuss.hashicorp.com/t/hcsec-2022-22-nomad-panics-on-job-submission-with-bad-artifact-stanza-source-url/45420
github.com/advisories/GHSA-7v3g-4878-5qrf
github.com/hashicorp/nomad/commit/1b831f3da40079607936cdc157e6c1d9cd1bc42b
github.com/hashicorp/nomad/commit/2f879d80c9499e07ec84931700e08cf2fe1d8662
github.com/hashicorp/nomad/commit/bdb3409c59363882ddb9a85be55b530573d1a9d8
github.com/hashicorp/nomad/pull/14696
github.com/hashicorp/nomad/pull/14705
github.com/hashicorp/nomad/pull/14706