CVE: CVE-2020-7218

Export to Word

HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 0.10.3.

Threat-Mapped Scoring

Score: 1.9

Priority: P3 - Important (Medium)

S9 – Sabotage of System/App
S10 – Denial of Service (+0.1 bonus)

EPSS

Score: 0.00772
Percentile: 0.72558

CVSS Scoring

CVSS v3.1 Score: 7.5

Severity: HIGH

Mapped CWE(s)

CWE-770 : Allocation of Resources Without Limits or Throttling

All CAPEC(s)

CAPEC-125: Flooding
CAPEC-130: Excessive Allocation
CAPEC-147: XML Ping of the Death
CAPEC-197: Exponential Data Expansion
CAPEC-229: Serialized Data Parameter Blowup
CAPEC-230: Serialized Data with Nested Payloads
CAPEC-231: Oversized Serialized Data Payloads
CAPEC-469: HTTP DoS
CAPEC-482: TCP Flood
CAPEC-486: UDP Flood
CAPEC-487: ICMP Flood
CAPEC-488: HTTP Flood
CAPEC-489: SSL Flood
CAPEC-490: Amplification
CAPEC-491: Quadratic Data Expansion
CAPEC-493: SOAP Array Blowup
CAPEC-494: TCP Fragmentation
CAPEC-495: UDP Fragmentation
CAPEC-496: ICMP Fragmentation
CAPEC-528: XML Flood

CAPEC(s) with Mapped TTPs

CAPEC-125: Flooding
Mapped TTPs:
- T1498.001 : Direct Network Flood
- T1499 : Endpoint Denial of Service
CAPEC-130: Excessive Allocation
Mapped TTPs:
- T1499.003 : Application Exhaustion Flood
CAPEC-469: HTTP DoS
Mapped TTPs:
- T1499.002 : Service Exhaustion Flood
CAPEC-482: TCP Flood
Mapped TTPs:
- T1498.001 : Direct Network Flood
- T1499.001 : OS Exhaustion Flood
- T1499.002 : Service Exhaustion Flood
CAPEC-488: HTTP Flood
Mapped TTPs:
- T1499.002 : Service Exhaustion Flood
CAPEC-489: SSL Flood
Mapped TTPs:
- T1499.002 : Service Exhaustion Flood
CAPEC-490: Amplification
Mapped TTPs:
- T1498.002 : Reflection Amplification
CAPEC-528: XML Flood
Mapped TTPs:
- T1499.002 : Service Exhaustion Flood
- T1498.001 : Direct Network Flood

Mapped ATT&CK TTPs

T1498.001 : Direct Network Flood
Kill Chain: impact
T1499 : Endpoint Denial of Service
Kill Chain: impact
T1499.003 : Application Exhaustion Flood
Kill Chain: impact
T1499.002 : Service Exhaustion Flood
Kill Chain: impact
T1498.001 : Direct Network Flood
Kill Chain: impact
T1499.001 : OS Exhaustion Flood
Kill Chain: impact
T1499.002 : Service Exhaustion Flood
Kill Chain: impact
T1499.002 : Service Exhaustion Flood
Kill Chain: impact
T1499.002 : Service Exhaustion Flood
Kill Chain: impact
T1498.002 : Reflection Amplification
Kill Chain: impact
T1499.002 : Service Exhaustion Flood
Kill Chain: impact
T1498.001 : Direct Network Flood
Kill Chain: impact

Malware

APTs Threat Group Associations

Sandworm Team

Campaigns

Affected Products

cpe:2.3:a:hashicorp:nomad:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*

← Back to Home