CVE-2021-41865: 
Nomad vulnerability analysis and mitigation

HashiCorp Nomad and Nomad Enterprise versions 1.1.1 through 1.1.5 contained a vulnerability (CVE-2021-41865) that allowed authenticated users with job submission capabilities to cause denial of service. The vulnerability was discovered through internal testing and was fixed in version 1.1.6 (HashiCorp Discussion).

The vulnerability occurred when users submitted incomplete job specifications that combined Consul mesh gateway with host networking mode. The issue stemmed from improper handling of a missing optional stanza within job specifications, which would cause Nomad client agents to crash. The vulnerability received a CVSS v3.1 score of 6.5 (Medium) and CVSS v2.0 score of 4.0 (Medium) (NVD).

When exploited, the vulnerability could lead to a cascading failure effect. As crashed clients became lost, their allocations would be rescheduled, potentially causing all clients to crash as the problematic job specification was rescheduled throughout the cluster (HashiCorp Discussion).

The vulnerability was fixed in Nomad and Nomad Enterprise version 1.1.6. Users running affected versions (1.1.1 through 1.1.5) were advised to evaluate their risk and upgrade to version 1.1.6 or newer. It's worth noting that Nomad 1.0 branch and earlier releases were not affected by this issue (HashiCorp Discussion).