CVE-2022-24685: 
Nomad vulnerability analysis and mitigation

HashiCorp Nomad and Nomad Enterprise versions 1.0.0 through 1.0.17, 1.1.11, and 1.2.5 contained a vulnerability that allowed anyone with access to Nomad's API to submit HCL formatted jobs for parsing to return the equivalent JSON. This vulnerability (CVE-2022-24685) was discovered during a scheduled external security assessment and was fixed in versions 1.0.18, 1.1.12, and 1.2.6, released in February 2022 (HashiCorp Discussion).

The vulnerability existed in Nomad's jobs API parse endpoint, which converts HCL formatted files to JSON. When jobs are sent to the API, they must be formatted as JSON in the HTTP request. The parse endpoint was designed to handle this HCL to JSON conversion for systems that cannot use the CLI. However, the endpoint allowed malformed HCL configuration to be evaluated, which could result in excessive CPU usage on Nomad server agents (HashiCorp Discussion).

When successfully exploited, this vulnerability could lead to Denial of Service (DoS) through excessive CPU usage on Nomad server agents. The vulnerability received a CVSS v3.1 score of 7.5 (HIGH) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Advisory).

The vulnerability was addressed by modifying Nomad's HCL parsing logic to no longer allow malformed configurations and by requiring an ACL token when accessing the parse endpoint. Users are advised to upgrade to Nomad or Nomad Enterprise versions 1.0.18, 1.1.12, and 1.2.6 or newer (HashiCorp Discussion).