CVE-2024-10975 HIGH

CVE-2024-10975: Nomad Vulnerable To Cross-Namespace Volume Creation Abusing CSI Write Permission

Vendor Hashicorp
Product Nomad
Weakness CWE-863 · Incorrect authorization
Published November 7, 2024
Last update November 7, 2024
View on NVD All CVEs

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15.

Key dates

02Disclosure timeline

November 7, 2024 CVE published
November 7, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-34434 WordPress MDTF – Meta Data and Taxonomies Filter plugin <= 1.3.3.2 - Arbitrary Shortcode Execution vulnerability CVE-2026-33720 n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK CVE-2023-5193 System Role with manage posts permission can read posts of Direct Messages CVE-2024-45125 Adobe Commerce | Incorrect Authorization (CWE-863) CVE-2026-41903 FreeScout IDOR Vulnerability: PERM_EDIT_USERS allows modifying any user's notification subscriptions (incomplete fix of CVE-2025-48472)