Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-mt6v-wu59-2fe3
Vulnerability ID VCID-mt6v-wu59-2fe3
Aliases CVE-2022-24683
GHSA-wmrx-57hm-mw7r
Summary Arbitrary file reads in HashiCorp Nomad Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root. There are currently no known workarounds. Users are recommended to upgrade as soon as possible to avoid this issue.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
System Score Found at
cvssv3.1 7.5 github.com/hashicorp/nomad
generic_textual HIGH github.com/hashicorp/nomad
epss 0.00474 https://api.first.org/data/v1/epss?cve=CVE-2022-24683
epss 0.00474 https://api.first.org/data/v1/epss?cve=CVE-2022-24683
epss 0.00474 https://api.first.org/data/v1/epss?cve=CVE-2022-24683
epss 0.00474 https://api.first.org/data/v1/epss?cve=CVE-2022-24683
epss 0.00474 https://api.first.org/data/v1/epss?cve=CVE-2022-24683
epss 0.00474 https://api.first.org/data/v1/epss?cve=CVE-2022-24683
epss 0.00474 https://api.first.org/data/v1/epss?cve=CVE-2022-24683
epss 0.00474 https://api.first.org/data/v1/epss?cve=CVE-2022-24683
epss 0.00474 https://api.first.org/data/v1/epss?cve=CVE-2022-24683
epss 0.00474 https://api.first.org/data/v1/epss?cve=CVE-2022-24683
epss 0.00474 https://api.first.org/data/v1/epss?cve=CVE-2022-24683
epss 0.00474 https://api.first.org/data/v1/epss?cve=CVE-2022-24683
epss 0.00474 https://api.first.org/data/v1/epss?cve=CVE-2022-24683
epss 0.00474 https://api.first.org/data/v1/epss?cve=CVE-2022-24683
cvssv3.1 7.5 https://discuss.hashicorp.com
generic_textual HIGH https://discuss.hashicorp.com
cvssv3.1 7.5 https://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/35560
generic_textual HIGH https://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/35560
cvssv3.1 7.5 https://github.com/hashicorp/nomad/commit/1aa46c3796e924b72eb45a7f02dae32df0c1179c
generic_textual HIGH https://github.com/hashicorp/nomad/commit/1aa46c3796e924b72eb45a7f02dae32df0c1179c
cvssv3.1 7.5 https://github.com/hashicorp/nomad/commit/b3c0e6a7a53d624003698b48b6c59739552c3721
generic_textual HIGH https://github.com/hashicorp/nomad/commit/b3c0e6a7a53d624003698b48b6c59739552c3721
cvssv3.1 7.5 https://github.com/hashicorp/nomad/commit/fcb3a5d016a3dfcc63efcdb567373735a0703279
generic_textual HIGH https://github.com/hashicorp/nomad/commit/fcb3a5d016a3dfcc63efcdb567373735a0703279
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-24683
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-24683
cvssv3.1 7.5 https://security.netapp.com/advisory/ntap-20220318-0008
generic_textual HIGH https://security.netapp.com/advisory/ntap-20220318-0008
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-24683
https://discuss.hashicorp.com
https://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/35560
https://github.com/hashicorp/nomad/commit/1aa46c3796e924b72eb45a7f02dae32df0c1179c
https://github.com/hashicorp/nomad/commit/b3c0e6a7a53d624003698b48b6c59739552c3721
https://github.com/hashicorp/nomad/commit/fcb3a5d016a3dfcc63efcdb567373735a0703279
https://nvd.nist.gov/vuln/detail/CVE-2022-24683
https://security.netapp.com/advisory/ntap-20220318-0008
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at github.com/hashicorp/nomad
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://discuss.hashicorp.com
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/35560
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/hashicorp/nomad/commit/1aa46c3796e924b72eb45a7f02dae32df0c1179c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/hashicorp/nomad/commit/b3c0e6a7a53d624003698b48b6c59739552c3721
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/hashicorp/nomad/commit/fcb3a5d016a3dfcc63efcdb567373735a0703279
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-24683
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://security.netapp.com/advisory/ntap-20220318-0008
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.64716
EPSS Score 0.00474
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:06:27.055174+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-wmrx-57hm-mw7r/GHSA-wmrx-57hm-mw7r.json 38.0.0