{"id":"GHSA-vf6q-9f2f-mwhv","summary":"Improper network isolation in Hashicorp Nomad","details":"HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.","aliases":["CVE-2021-32575","GO-2022-0709"],"modified":"2024-08-21T15:42:30.396534Z","published":"2021-06-24T20:28:21Z","database_specific":{"cwe_ids":["CWE-1100"],"github_reviewed":true,"severity":"MODERATE","github_reviewed_at":"2021-06-18T18:39:21Z","nvd_published_at":"2021-06-17T19:15:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32575"},{"type":"WEB","url":"https://discuss.hashicorp.com/t/hcsec-2021-14-nomad-bridge-networking-mode-allows-arp-spoofing-from-other-bridged-tasks-on-same-node/24296"},{"type":"WEB","url":"https://www.hashicorp.com/blog/category/nomad"}],"affected":[{"package":{"name":"github.com/hashicorp/nomad","ecosystem":"Go","purl":"pkg:golang/github.com/hashicorp/nomad"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.0.0"},{"fixed":"1.0.5"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-vf6q-9f2f-mwhv/GHSA-vf6q-9f2f-mwhv.json"}},{"package":{"name":"github.com/hashicorp/nomad","ecosystem":"Go","purl":"pkg:golang/github.com/hashicorp/nomad"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.12.12"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-vf6q-9f2f-mwhv/GHSA-vf6q-9f2f-mwhv.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}