2170843 – (CVE-2023-0821) CVE-2023-0821 hashicorp/nomad: Nomad Client Vulnerable to Decompression Bombs in Artifact Block

Bug 2170843 (CVE-2023-0821) - CVE-2023-0821 hashicorp/nomad: Nomad Client Vulnerable to Decompression Bombs in Artifact Block

Summary: CVE-2023-0821 hashicorp/nomad: Nomad Client Vulnerable to Decompression Bombs...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2023-0821
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	Embargoed2170825
TreeView+	depends on / blocked

Reported:	2023-02-17 11:50 UTC by Avinash Hanwate
Modified:	2023-02-17 20:30 UTC (History)
CC List:	15 users (show)
Fixed In Version:	Hashicorp Nomad 1.2.16 up to 1.3.9, and 1.4.4
Doc Type:	---
Doc Text:	A flaw was found in the HashiCorp Nomad package. A job submitted with a maliciously compressed source (for example, “Zip Bomb”) in an artifact stanza can cause excessive disk resource consumption, crashing a Nomad client agent.
Clone Of:
Environment:
Last Closed:	2023-02-17 20:30:44 UTC

Attachments	(Terms of Use)

Description Avinash Hanwate 2023-02-17 11:50:20 UTC

HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4.

https://discuss.hashicorp.com/t/hcsec-2023-05-nomad-client-vulnerable-to-decompression-bombs-in-artifact-block/50292

Comment 1 Product Security DevOps Team 2023-02-17 20:30:41 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0821

Note You need to log in before you can comment on or make changes to this bug.