{"id":"CVE-2024-10975","details":"Nomad Community and Nomad Enterprise (\"Nomad\") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15.","aliases":["GHSA-2w5v-x29g-jw7j","GO-2024-3262"],"modified":"2026-04-12T10:20:20.389210Z","published":"2024-11-07T21:15:06.383Z","related":["SUSE-SU-2024:4042-1","openSUSE-SU-2024:14482-1"],"references":[{"type":"ADVISORY","url":"https://discuss.hashicorp.com/t/hcsec-2024-27-nomad-vulnerable-to-cross-namespace-volume-creation-abusing-csi-write-permission"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hashicorp/nomad","events":[{"introduced":"52e95d64113e01be05d585d8b4c07f6f19efebbc"},{"fixed":"24d03a922d7c60bb18a1d083598d6dcfbe380867"},{"fixed":"75cc694f6ef24f12b94bea982260f401b91358cf"},{"introduced":"28b82e4b2259fae5a62e2ed47395334bea5a24c4"},{"fixed":"ac8fa775591f69592ff0e27ee795e5616c4effab"},{"introduced":"7ad36851ec02f875e0814775ecf1df0229f0a615"},{"fixed":"75cc694f6ef24f12b94bea982260f401b91358cf"}],"database_specific":{"extracted_events":[{"introduced":"1.3.0"},{"fixed":"1.7.15"},{"fixed":"1.9.2"},{"introduced":"1.8.0"},{"fixed":"1.8.7"},{"introduced":"1.9.0"},{"fixed":"1.9.2"}],"cpe":["cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*","cpe:2.3:a:hashicorp:nomad:*:*:*:*:-:*:*:*"],"source":"CPE_FIELD"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-10975.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N"}]}