Skip to content

[GHSA-5mqx-rpxv-mvxj] HashiCorp Nomad is vulnerable to path escape through archive unpacking during migration #6774

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
advisory-database merged 1 commit into from
Feb 4, 2026
+41 −3
Merged

[GHSA-5mqx-rpxv-mvxj] HashiCorp Nomad is vulnerable to path escape through archive unpacking during migration #6774

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 41 additions & 3 deletions advisories/github-reviewed/2024/07/GHSA-5mqx-rpxv-mvxj/GHSA-5mqx-rpxv-mvxj.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
{
"schema_version": "1.4.0",
"id": "GHSA-5mqx-rpxv-mvxj",
"modified": "2026-01-05T14:59:35Z",
"modified": "2026-01-05T14:59:36Z",
"published": "2024-07-23T03:30:33Z",
"aliases": [
"CVE-2024-6717"
],
"summary": "HashiCorp Nomad is vulnerable to path escape through archive unpacking during migration",
"details": "HashiCorp Nomad versions up to 1.11.1, and Nomad Enterprise versions 1.6.12 up to 1.7.9 and 1.8.1, are vulnerable to path escaping of the allocation directory during archive unpacking in migration. This vulnerability, CVE-2024-6717, is fixed in Nomad 1.11.1 and Nomad Enterprise 1.6.13, 1.7.10, and 1.8.2.",
"details": "HashiCorp Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1 archive unpacking during migration is vulnerable to path escaping of the allocation directory. This vulnerability, CVE-2024-6717, is fixed in Nomad 1.6.13, 1.7.10, and 1.8.2.",
"severity": [
{
"type": "CVSS_V3",
Expand All @@ -28,7 +28,45 @@
"introduced": "0"
},
{
"fixed": "1.11.1"
"fixed": "1.6.13"
}
Comment on lines 28 to +32
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version range with 'introduced': '0' and 'fixed': '1.6.13' is misleading because it suggests all versions from 0 to 1.6.13 are affected. According to the description, only versions 1.6.12 up to 1.7.9 and 1.8.1 are affected. The 'introduced' field should specify '1.6.12' instead of '0' to accurately represent the affected version range.

Copilot uses AI. Check for mistakes.
]
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/nomad"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.10"
}
Comment on lines +46 to +51
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version range with 'introduced': '0' and 'fixed': '1.7.10' is incorrect. Based on the description stating that versions 1.6.12 up to 1.7.9 are affected, this range should have 'introduced': '1.7.0' (or the appropriate starting version for the 1.7.x series) rather than '0'.

Copilot uses AI. Check for mistakes.
]
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/nomad"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.2"
}
Comment on lines +65 to 70
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version range with 'introduced': '0' and 'fixed': '1.8.2' is inaccurate. According to the description, only version 1.8.1 in the 1.8.x series is affected. The 'introduced' field should specify '1.8.1' to correctly represent that only this specific version is vulnerable.

Copilot uses AI. Check for mistakes.
]
}
Expand Down
Loading