CVE-2024-10975

Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://discuss.hashicorp.com/t/hcsec-2024-27-nomad-vulnerable-to-cross-namespace-volume-creation-abusing-csi-write-permission	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hashicorp:nomad:::::enterprise:::*
	cpe:2.3:a:hashicorp:nomad:::::-:::*
	cpe:2.3:a:hashicorp:nomad:::::enterprise:::*
	cpe:2.3:a:hashicorp:nomad:::::enterprise:::*

History

29 Dec 2025, 17:17

Type	Values Removed	Values Added
First Time		Hashicorp Hashicorp nomad
CPE		cpe:2.3:a:hashicorp:nomad:::::enterprise:::* cpe:2.3:a:hashicorp:nomad:::::-:::*
References	~~() https://discuss.hashicorp.com/t/hcsec-2024-27-nomad-vulnerable-to-cross-namespace-volume-creation-abusing-csi-write-permission -~~	() https://discuss.hashicorp.com/t/hcsec-2024-27-nomad-vulnerable-to-cross-namespace-volume-creation-abusing-csi-write-permission - Vendor Advisory

08 Nov 2024, 19:01

Type	Values Removed	Values Added
Summary		(es) La especificación de volúmenes de Nomad Community y Nomad Enterprise ("Nomad") es vulnerable a la creación arbitraria de volúmenes entre espacios de nombres mediante escrituras no autorizadas en volúmenes de la Interfaz de almacenamiento de contenedores (CSI). Esta vulnerabilidad, identificada como CVE-2024-10975, se ha corregido en Nomad Community Edition 1.9.2 y Nomad Enterprise 1.9.2, 1.8.7 y 1.7.15.

07 Nov 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-07 21:15

Updated : 2025-12-29 17:17

NVD link : CVE-2024-10975

Mitre link : CVE-2024-10975

CVE.ORG link : CVE-2024-10975

JSON object : View

Products Affected

hashicorp

nomad

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2024-10975", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@hashicorp.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "published": "2024-11-07T21:15:06.383", "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2024-27-nomad-vulnerable-to-cross-namespace-volume-creation-abusing-csi-write-permission", "tags": ["Vendor Advisory"], "source": "security@hashicorp.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@hashicorp.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Nomad Community and Nomad Enterprise (\"Nomad\") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15."}, {"lang": "es", "value": "La especificaci\u00f3n de vol\u00famenes de Nomad Community y Nomad Enterprise (\"Nomad\") es vulnerable a la creaci\u00f3n arbitraria de vol\u00famenes entre espacios de nombres mediante escrituras no autorizadas en vol\u00famenes de la Interfaz de almacenamiento de contenedores (CSI). Esta vulnerabilidad, identificada como CVE-2024-10975, se ha corregido en Nomad Community Edition 1.9.2 y Nomad Enterprise 1.9.2, 1.8.7 y 1.7.15."}], "lastModified": "2025-12-29T17:17:03.110", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "CD7507C6-5E21-41A1-886E-2A801BC2FFAF", "versionEndExcluding": "1.7.15", "versionStartIncluding": "1.3.0"}, {"criteria": "cpe:2.3:a:hashicorp:nomad:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "C7D339DE-A8C9-47C5-94C8-37E532BB6A69", "versionEndExcluding": "1.9.2", "versionStartIncluding": "1.3.0"}, {"criteria": "cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "25D8E93B-1F4C-4298-BB64-358014A5E9D8", "versionEndExcluding": "1.8.7", "versionStartIncluding": "1.8.0"}, {"criteria": "cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "FD4C121D-54C3-4E0F-A334-03A92346801B", "versionEndExcluding": "1.9.2", "versionStartIncluding": "1.9.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@hashicorp.com"}