CVE-2024-12678

Published: Dec 20, 2024Modified: Dec 12, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: security@hashicorp.com (Secondary)

Description

Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.

Affected (4)

Products: Hashicorp: Nomad

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Hashicorp Nomad	From 1.4.0 to 1.9.4
Hashicorp Nomad	From 1.4.0 to 1.7.16
Hashicorp Nomad	From 1.8.0 to 1.8.8
Hashicorp Nomad	From 1.9.0 to 1.9.4

Related CWEs

Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References (1)

https://discuss.hashicorp.com/t/hcsec-2024-29-nomad-allocations-vulnerable-to-privilege-escalation-within-a-namespace-using-unredacted-workload-identity-token/72119

Source: security@hashicorp.com

Vendor Advisory

Timeline

No history available yet.