Miggo Logo
Miggo Vulnerability Database
CVE-2022-41606

CVE-2022-41606: Nomad Panics On Job Submission With Bad Artifact Stanza Source URL

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-41606
GHSA ID
GHSA-7v3g-4878-5qrf
EPSS Score
0.50789%
CWE
-
Published
10/12/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hashicorp/nomadgo< 1.2.131.2.13
github.com/hashicorp/nomadgo>= 1.3.0, < 1.3.61.3.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability information indicates that the issue stems from improper panic handling when processing invalid S3/GCS URLs in artifact stanzas via the go-getter library. However, the analysis lacks critical details such as commit diffs, patch information, or explicit references to specific functions/modules in Nomad's codebase. While the artifact retrieval logic in client agents (likely in client/allocrunner/taskrunner/artifact.go or similar) is implicated, the absence of concrete code changes or function names prevents high-confidence identification of exact vulnerable functions. The fix involved adding panic recovery around go-getter calls, but without seeing the pre-patch code, we cannot definitively name the unprotected functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*i*orp Nom** *n* Nom** *nt*rpris* *.*.* up to *.*.**, *n* *.*.* jo*s su*mitt** wit* *n *rti***t st*nz* usin* inv*li* S* or **S URLs **n ** us** to *r*s* *li*nt ***nts. *ix** in *.*.**, *.*.*, *n* *.*.*.

Reasoning

T** provi*** vuln*r**ility in*orm*tion in*i**t*s t**t t** issu* st*ms *rom improp*r p*ni* **n*lin* w**n pro**ssin* inv*li* S*/**S URLs in *rti***t st*nz*s vi* t** `*o-**tt*r` li*r*ry. *ow*v*r, t** *n*lysis l**ks *riti**l **t*ils su** *s *ommit *i**s,