CVE-2022-24686: 
Nomad vulnerability analysis and mitigation

The vulnerability CVE-2022-24686 affects HashiCorp Nomad and Nomad Enterprise versions 0.3.0 through 1.0.17, 1.1.11, and 1.2.5. This vulnerability involves a race condition in the artifact download functionality where the Nomad client agent could potentially download the wrong artifact into the wrong destination. The issue was discovered and fixed in versions 1.0.18, 1.1.12, and 1.2.6 (HashiCorp Discuss).

The vulnerability stems from an unsafe implementation of the go-getter library used for downloading artifacts as defined in the job definitions' artifact stanza. The issue was identified using the builtin go test race detector, which revealed that the go-getter client was being used in an unsafe manner when shared between goroutines. The vulnerability has been assigned a CVSS score of 5.9 (MEDIUM) with a vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N (NetApp Security).

If successfully exploited, this vulnerability could allow an attacker with job submission capabilities to impact another allocation, resulting in the client placing incorrect artifacts in wrong destinations. However, reliable exploitation in a live cluster is considered difficult as it would require precise timing of two artifact downloads outside of the attacker's own job submission (HashiCorp Discuss).

Users are advised to upgrade to Nomad or Nomad Enterprise versions 1.0.18, 1.1.12, and 1.2.6 or newer to address this vulnerability. The fix involves modifications to Nomad's logic to prevent the race condition from occurring (HashiCorp Discuss).