CVE-2022-41606

MEDIUM

HashiCorp Nomad <1.2.12, <1.3.5 - DoS

Title source: llm

Description

HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0.

References (2)

Core 2

Core References

Vendor Advisory

https://discuss.hashicorp.com

Vendor Advisory

https://discuss.hashicorp.com/t/hcsec-2022-22-nomad-panics-on-job-submission-with-bad-artifact-stanza-source-url/45420

Scores

CVSS v3 6.5

EPSS 0.0041

EPSS Percentile 61.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (2)

hashicorp/nomad 0 - 1.2.13Go

hashicorp/nomad 1.0.2 - 1.2.13 (2 CPE variants)

Published Oct 12, 2022

Tracked Since Feb 18, 2026