Skip to content

PRP: hashicorp nomad exposed UI RCE#694

Merged
copybara-service[bot] merged 6 commits intogoogle:masterfrom
am0o0:hashicorp_nomad_RCE
Mar 9, 2026
Merged

PRP: hashicorp nomad exposed UI RCE#694
copybara-service[bot] merged 6 commits intogoogle:masterfrom
am0o0:hashicorp_nomad_RCE

Conversation

@am0o0
Copy link
Copy Markdown
Contributor

@am0o0 am0o0 commented Aug 19, 2025

Testbed:
google/security-testbeds#158

PRP issue:
#687

@am0o0 am0o0 mentioned this pull request Aug 20, 2025
Closed
@leonardo-doyensec leonardo-doyensec self-requested a review August 21, 2025 14:06
@tooryx tooryx linked an issue Aug 27, 2025 that may be closed by this pull request
PRP: Hashicorp Nomad None RCE #687
Closed
@robert-doyensec
Copy link
Copy Markdown
Collaborator

robert-doyensec commented Feb 12, 2026

Hi @am0o0 , just a reminder that this is waiting on the testbed ( google/security-testbeds#158 (comment) )

@robert-doyensec
Copy link
Copy Markdown
Collaborator

robert-doyensec commented Feb 19, 2026

Hi @am0o0 , I'm running into trouble confirming the vulnerability with the provided detector. The curl command that you included in the README for the testbed seems to work, but the templated detector gives this error in the server (with no callback triggered):
[DEBUG] http: request failed: method=POST path=/v1/jobs error="invalid character 't' after object key:value pair" code=400
Can you confirm that the templated detector works on your end, and if not, update it? I think it's probably an escaping issue somewhere, but couldn't immediately find it.

@am0o0
Copy link
Copy Markdown
Contributor Author

am0o0 commented Feb 20, 2026

@robert-doyensec Hi
Thank you for reviewing this PR I fixed the issue by trying to remove a field value that wasn't necessary to exist, and the plugin works fine this time.

@robert-doyensec robert-doyensec self-requested a review February 25, 2026 21:53
robert-doyensec
robert-doyensec suggested changes Feb 25, 2026
View reviewed changes
Comment thread templated/templateddetector/plugins/exposedui/HashicorpNomad_ExposedUI.textproto Outdated
Comment thread templated/templateddetector/plugins/exposedui/HashicorpNomad_ExposedUI.textproto Outdated
Comment thread templated/templateddetector/plugins/exposedui/HashicorpNomad_ExposedUI.textproto Outdated
am0o0 and others added 3 commits February 27, 2026 19:55
@am0o0 @robert-doyensec
Update templated/templateddetector/plugins/exposedui/HashicorpNomad_E…
9f999b7 
…xposedUI.textproto

Co-authored-by: Robert Dick <robert@doyensec.com>
@am0o0 @robert-doyensec
Update templated/templateddetector/plugins/exposedui/HashicorpNomad_E…
f1dd6c5 
…xposedUI.textproto

Co-authored-by: Robert Dick <robert@doyensec.com>
@am0o0 @robert-doyensec
Update templated/templateddetector/plugins/exposedui/HashicorpNomad_E…
0988bc4 
…xposedUI.textproto

Co-authored-by: Robert Dick <robert@doyensec.com>
@robert-doyensec
Copy link
Copy Markdown
Collaborator

robert-doyensec commented Feb 27, 2026

LGTM - Approved
@tooryx , this can be merged alongside google/security-testbeds#158

Reviewer: Robert, Doyensec
Plugin: Hashicorp Nomad Exposed UI RCE
Drawbacks: None.

@copybara-service copybara-service Bot merged commit 204cd65 into google:master Mar 9, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tooryx tooryx tooryx approved these changes

@leonardo-doyensec leonardo-doyensec Awaiting requested review from leonardo-doyensec

+1 more reviewer

@robert-doyensec robert-doyensec robert-doyensec requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

@am0o0 am0o0

Labels

lgtm templated

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

PRP: Hashicorp Nomad None RCE

3 participants

@am0o0 @robert-doyensec @tooryx