Bulletin ID: HCSEC-2020-08
Affected Products / Versions: Previous versions of Nomad and Nomad Enterprise; fixed in 0.10.5.
Publication Date: 24 March, 2020
The files within workloads can be accessed from the Nomad API or UI to enable operators to inspect the filesystem of their running allocations.
Customers should upgrade to Nomad or Nomad Enterprise 0.10.5, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.
This issue was identified by the HashiCorp security team.
We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.