{"id":"GHSA-7v3g-4878-5qrf","summary":"Nomad Panics On Job Submission With Bad Artifact Stanza Source URL","details":"HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0.","aliases":["CVE-2022-41606","GO-2022-1062"],"modified":"2025-05-20T21:04:22Z","published":"2022-10-12T12:00:21Z","database_specific":{"severity":"MODERATE","github_reviewed":true,"cwe_ids":["CWE-20"],"nvd_published_at":"2022-10-12T00:15:00Z","github_reviewed_at":"2022-10-12T20:03:06Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41606"},{"type":"WEB","url":"https://discuss.hashicorp.com"},{"type":"WEB","url":"https://discuss.hashicorp.com/t/hcsec-2022-22-nomad-panics-on-job-submission-with-bad-artifact-stanza-source-url/45420"},{"type":"PACKAGE","url":"https://github.com/hashicorp/nomad"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2022-1062"}],"affected":[{"package":{"name":"github.com/hashicorp/nomad","ecosystem":"Go","purl":"pkg:golang/github.com/hashicorp/nomad"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.2.13"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-7v3g-4878-5qrf/GHSA-7v3g-4878-5qrf.json"}},{"package":{"name":"github.com/hashicorp/nomad","ecosystem":"Go","purl":"pkg:golang/github.com/hashicorp/nomad"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.3.0"},{"fixed":"1.3.6"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-7v3g-4878-5qrf/GHSA-7v3g-4878-5qrf.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}