{"api_version":"1","generated_at":"2026-04-23T06:20:23+00:00","cve":"CVE-2021-43415","urls":{"html":"https://cve.report/CVE-2021-43415","api":"https://cve.report/api/cve/CVE-2021-43415.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-43415","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-43415"},"summary":{"title":"CVE-2021-43415","description":"HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-12-03 22:15:00","updated_at":"2023-08-08 14:22:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"https://www.hashicorp.com/blog/category/nomad","name":"https://www.hashicorp.com/blog/category/nomad","refsource":"MISC","tags":[],"title":"HashiCorp Blog","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288","name":"https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288","refsource":"MISC","tags":[],"title":"HCSEC-2021-31 - Nomad QEMU Task Driver Allowed Paths Bypass with Job Args - Security - HashiCorp Discuss","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-43415","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43415","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"43415","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"hashicorp","cpe5":"nomad","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43415","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"hashicorp","cpe5":"nomad","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43415","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"hashicorp","cpe5":"nomad","cpe6":"1.2.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43415","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"hashicorp","cpe5":"nomad","cpe6":"1.2.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-43415","qid":"502316","title":"Alpine Linux Security Update for nomad"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-43415","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://www.hashicorp.com/blog/category/nomad","refsource":"MISC","name":"https://www.hashicorp.com/blog/category/nomad"},{"refsource":"MISC","name":"https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288","url":"https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288"}]}},"nvd":{"publishedDate":"2021-12-03 22:15:00","lastModifiedDate":"2023-08-08 14:22:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6},"severity":"MEDIUM","exploitabilityScore":6.8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:hashicorp:nomad:*:*:*:*:-:*:*:*","versionStartIncluding":"1.0.0","versionEndExcluding":"1.0.14","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"1.0.0","versionEndExcluding":"1.0.14","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:hashicorp:nomad:*:*:*:*:-:*:*:*","versionStartIncluding":"1.1.0","versionEndExcluding":"1.1.8","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"1.1.0","versionEndExcluding":"1.1.8","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:hashicorp:nomad:1.2.0:-:*:*:-:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:hashicorp:nomad:1.2.0:-:*:*:enterprise:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"43415","Ordinal":"220476","Title":"CVE-2021-43415","CVE":"CVE-2021-43415","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"43415","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}