HCSEC-2020-08 - Nomad's Raw File View Vulnerable to Cross-Site Scripting

Bulletin ID: HCSEC-2020-08
Affected Products / Versions: Previous versions of Nomad and Nomad Enterprise; fixed in 0.10.5.
Publication Date: 24 March, 2020

A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that files from a malicious workload could cause arbitrary JavaScript to execute in the web UI. This vulnerability, CVE-2020-10944, affects all Nomad versions since 0.3 and is fixed in the 0.10.5 release.

The files within workloads can be accessed from the Nomad API or UI to enable operators to inspect the filesystem of their running allocations.

An internal security review identified a vulnerability such that it was possible to inject JavaScript from a malicious workload in the cluster. When this file is viewed in its raw form from the API or UI, this will execute in the browser.

Customers should upgrade to Nomad or Nomad Enterprise 0.10.5, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

This issue was identified by the HashiCorp security team.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.