Nomad before version 1.2.1 with the QEMU task driver enabled allowed authenticated users with job submission capabilities to bypass the configured allowed paths for images.
Nomad before version 1.2.1 with the QEMU task driver enabled allowed authenticated users with job submission capabilities to bypass the configured allowed paths for images.
https://github.com/hashicorp/nomad/issues/11542 https://github.com/hashicorp/nomad/commit/40de248b940eb7babbd4a08ebe9d6874758f5285
Workaround ========== The issue can be mitigated by disabling the QEMU task driver using the the following client agent configuration snippet: plugin "qemu" { enabled = false }