CVE-2021-43415 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Access restriction bypass
Description	Nomad before version 1.2.1 with the QEMU task driver enabled allowed authenticated users with job submission capabilities to bypass the configured allowed paths for images.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2580	nomad	1.2.0-1	1.2.1-1	Medium	Fixed	FS#72813

References
https://github.com/hashicorp/nomad/issues/11542 https://github.com/hashicorp/nomad/commit/40de248b940eb7babbd4a08ebe9d6874758f5285

Notes
Workaround ========== The issue can be mitigated by disabling the QEMU task driver using the the following client agent configuration snippet: plugin "qemu" { enabled = false }