Stored XSS in Raw File View

[notnoop]

Nomad - Stored XSS in Raw File View

Vulnerability ID: CVE-2020-10944
Release Date: March 24th, 2020
Affected Products/Versions: Previous versions of Nomad and Nomad Enterprise; fixed in 0.10.5

A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that files from a malicious workload could cause arbitrary JavaScript to execute in the web UI. This vulnerability affects all Nomad versions since 0.3, and is fixed in the 0.10.5 release.

This document outlines details about this vulnerability and describes steps for remediation.

Background

The files within workloads can be accessed from the Nomad API or UI to enable operators to inspect the filesystem of their running allocations.

Vulnerability Details

An internal security review identified a vulnerability such that it was possible to inject JavaScript from a malicious workload in the cluster. When this file is viewed in its raw form from the API or UI, this will execute in the browser.

Remediation

Customers should upgrade to Nomad or Nomad Enterprise 0.10.5, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

Please contact support@hashicorp.com with any questions or security@hashicorp.com to report any security vulnerability or issue.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.