Description
HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6.
References (4)
Core 4
Core References
Product, Vendor Advisory x_refsource_misc
https://discuss.hashicorp.com
Vendor Advisory x_refsource_misc
https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage/35561
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220331-0007/
Various Sources x_refsource_misc
https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage/
Scores
CVSS v3
7.5
EPSS
0.0069
EPSS Percentile
72.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-770
Status
published
Products (2)
hashicorp/nomad
1.0.0 - 1.0.17 (2 CPE variants)
hashicorp/nomad
1.0.0 - 1.0.17Go
Published
Feb 28, 2022
Tracked Since
Feb 18, 2026