{"id":"CVE-2021-43415","details":"HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.","aliases":["GHSA-2jhh-5xm2-j4gf","GO-2022-0573"],"modified":"2026-04-10T04:40:06.753176Z","published":"2021-12-03T22:15:07.757Z","references":[{"type":"ADVISORY","url":"https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288"},{"type":"ADVISORY","url":"https://www.hashicorp.com/blog/category/nomad"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hashicorp/nomad","events":[{"introduced":"a480eed0815c54612856d9115a34bb1d1a773e8c"},{"fixed":"1fae1e1abaf06d55571cfe279788d915345ca5c4"},{"introduced":"a480eed0815c54612856d9115a34bb1d1a773e8c"},{"fixed":"1fae1e1abaf06d55571cfe279788d915345ca5c4"},{"introduced":"f99f1e27bb66bee36a1f3cdf00335e81e93ffff2"},{"fixed":"189d3f1b8dbd2c6971752382e0800927d80edda7"},{"introduced":"f99f1e27bb66bee36a1f3cdf00335e81e93ffff2"},{"fixed":"189d3f1b8dbd2c6971752382e0800927d80edda7"},{"introduced":"0"},{"last_affected":"bee0c3e04eb4ce34b8ac22ff27fcb421a9dccec5"},{"introduced":"0"},{"last_affected":"bee0c3e04eb4ce34b8ac22ff27fcb421a9dccec5"}],"database_specific":{"versions":[{"introduced":"1.0.0"},{"fixed":"1.0.14"},{"introduced":"1.0.0"},{"fixed":"1.0.14"},{"introduced":"1.1.0"},{"fixed":"1.1.8"},{"introduced":"1.1.0"},{"fixed":"1.1.8"},{"introduced":"0"},{"last_affected":"1.2.0-NA"},{"introduced":"0"},{"last_affected":"1.2.0-NA"}]}}],"versions":["show","v0.0.0","v0.1.0","v0.1.1","v0.1.2","v0.10.0-beta1","v0.2.0","v0.2.1","v0.2.2","v0.2.3","v0.2.3-rc1","v0.3.0-rc2","v0.3.1","v0.3.2","v0.3.2-rc1","v0.3.2-rc2","v0.3rc1","v0.4.0","v0.4.0-rc1","v0.4.0-rc2","v0.4.1","v0.4.1-rc1","v0.5.0","v0.5.0-rc1","v0.5.0-rc2","v0.5.1","v0.5.1-rc1","v0.5.1-rc2","v0.5.2","v0.5.2-rc1","v0.5.3","v0.5.5","v0.5.5-rc1","v0.5.5-rc2","v0.5.6","v0.5.6-rc1","v0.6.0","v0.6.0-rc1","v0.6.0-rc2","v0.6.1","v0.6.2","v0.6.3-rc1","v0.7.0","v0.7.0-rc1","v0.7.0-rc2","v0.7.0-rc3","v0.7.1","v0.7.1+pro","v0.7.1-rc1","v0.7.1-rc1+pro","v0.8.0","v0.8.0+pro","v0.8.0-rc1","v0.8.0-rc1+pro","v0.8.2","v0.8.3","v0.8.4","v0.8.4-rc1","v0.9.0","v0.9.0-beta1","v0.9.0-beta2","v0.9.0-beta3","v0.9.0-rc1","v0.9.0-rc2","v0.9.2","v0.9.2-rc1","v0.9.3","v0.9.4","v0.9.4-rc1","v1.0.10","v1.0.11","v1.0.12","v1.0.13","v1.0.4","v1.0.5","v1.0.6","v1.0.7","v1.0.8","v1.0.9","v1.1.3","v1.1.4","v1.1.5","v1.1.6","v1.1.7","v1.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43415.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}