CVE-2022-24686: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

February 15, 2022 (updated March 21, 2022)

HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download functionality has a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. Fixed in 1.0.18, 1.1.12, and 1.2.6

References

discuss.hashicorp.com/
discuss.hashicorp.com/t/hcsec-2022-01-nomad-artifact-download-race-condition/35559
github.com/advisories/GHSA-gwmc-6795-qghj
github.com/hashicorp/nomad/issues/12036
github.com/hashicorp/nomad/releases/tag/v1.2.6
nvd.nist.gov/vuln/detail/CVE-2022-24686

Code Behaviors & Features

Detect and mitigate CVE-2022-24686 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →