SB2024031435 - Multiple vulnerabilities in Nomad
Published: March 14, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Error Handling (CVE-ID: CVE-2024-24783)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in crypto/x509 due to improper validation of a certificate chain that contains an unknown public key. A remote attacker can pass a specially crafted certificate to the application and perform a denial of service attack.
2) Resource exhaustion (CVE-ID: CVE-2023-45290)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in net/http due to application does not properly control consumption of internal resources when parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile). A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
3) Cross-site scripting (CVE-ID: CVE-2024-24785)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in html/template when parsing errors returned from MarshalJSON methods. A remote attacker can execute arbitrary HTML and script code in user's browser in context of vulnerable website.
4) Infinite loop (CVE-ID: CVE-2024-24786)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when parsing data in an invalid JSON format within the protojson.Unmarshal() function. A remote attacker can consume all available system resources and cause denial of service conditions.
Remediation
Install update from vendor's website.
References
- https://github.com/hashicorp/nomad/releases/tag/v1.7.6"
- https://github.com/hashicorp/nomad/releases/tag/v1.7.6</a></p><p><a
- https://github.com/hashicorp/nomad/releases/tag/v1.6.9"
- https://github.com/hashicorp/nomad/releases/tag/v1.6.9</a></p><p>
- https://github.com/hashicorp/nomad/releases/tag/v1.5.16</p><p><br></p>