CVE-2024-10975: 
Nomad vulnerability analysis and mitigation

Nomad Community and Nomad Enterprise ("Nomad") volume specification contains a vulnerability that allows arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. The vulnerability, tracked as CVE-2024-10975, affects Nomad Community Edition from 1.3.0 up to 1.9.1 and Nomad Enterprise from 1.3.0 up to 1.9.1, 1.8.6, and 1.7.14. The issue was discovered by HashiCorp's Nomad engineering teams and was disclosed on November 7, 2024 (HashiCorp Discuss).

The vulnerability exists in Nomad's storage plugin system, specifically in the authorization checks for volume creation and registration. When ACLs are enabled, the volume create command requires a token with the csi-write-volume capability for the volume's namespace. The flaw allows attackers to bypass intended ACLs by manipulating the namespace field in the volume spec while setting a different namespace in the command line or API call. The vulnerability has been assigned a CVSS v3.1 base score of 7.7 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N (NVD).

The vulnerability enables attackers with csi-write-volume capability in one namespace to create or register external storage volumes in other namespaces where they don't have permissions. This breaks the namespace isolation model and could lead to unauthorized access to storage resources across namespace boundaries.

The vulnerability has been fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise versions 1.9.2, 1.8.7, and 1.7.15. Organizations using affected versions should upgrade to the patched versions. Users should follow the general Nomad upgrade guidance and version-specific upgrade notes when performing the update (HashiCorp Discuss).